Multiple Critical Vulnerabilities Disclosed in Adobe ColdFusion
Adobe has released security updates addressing several critical and high-severity vulnerabilities in ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier. The vulnerabilities include improper input validation, improper access control, unrestricted upload of files with dangerous types, deserialization of untrusted data, and improper restriction of XML external entity references. These flaws could allow attackers to bypass security features, gain unauthorized read and write access, execute arbitrary code, escalate privileges, and read sensitive files from the server. Most of these vulnerabilities can be exploited remotely and do not require user interaction, with some specifically requiring high-privileged access.
Adobe's security bulletin (APSB25-105) confirms that there are currently no known exploits in the wild for these issues. The company strongly recommends users update to the latest versions—ColdFusion 2025 Update 5, 2023 Update 17, and 2021 Update 23—to mitigate the risks. Additional guidance includes using the latest MySQL Java connector and reviewing updated serial filter documentation to protect against insecure deserialization attacks. Organizations using affected ColdFusion versions should prioritize patching to prevent potential exploitation of these vulnerabilities.
Timeline
Dec 10, 2025
Adobe discloses six ColdFusion vulnerabilities
Adobe PSIRT disclosed CVE-2025-61808, CVE-2025-61809, CVE-2025-61810, CVE-2025-61811, CVE-2025-61812, and CVE-2025-61813, including critical file upload and input validation flaws and high-severity deserialization, access control, input validation, and XXE issues. The vulnerabilities could enable arbitrary code execution, unauthorized read/write access, or arbitrary file reads depending on the flaw.
Dec 9, 2025
Adobe publishes APSB25-105 ColdFusion security bulletin
Adobe published security advisory APSB25-105 covering multiple ColdFusion vulnerabilities affecting versions 2025.4, 2023.16, 2021.22, and earlier, and provided patched versions or update guidance.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
2 more from sources like cvefeed high severity and adobe product advisories
Related Stories
Adobe ColdFusion Flaws Enable Unauthenticated Code Execution and File Read
Adobe disclosed two high-severity vulnerabilities in **ColdFusion** that affect versions **2023.18, 2025.6, and earlier**. The first, `CVE-2026-27304`, is an improper input validation flaw (`CWE-20`) that can lead to **arbitrary code execution** in the context of the current user without requiring user interaction. Adobe assigned the issue a CVSS v3.1 vector of `AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N` and published details in security bulletin **APSB26-38**. Adobe also disclosed `CVE-2026-27305`, a **path traversal** vulnerability (`CWE-22`) in the same ColdFusion versions that allows an unauthenticated remote attacker to perform **arbitrary file system reads** and access sensitive files outside intended directories. The flaw likewise requires no user interaction and carries a CVSS v3.1 vector of `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N`, making the pair of issues a significant risk for exposed ColdFusion deployments.
2 weeks ago
Multiple Critical Vulnerabilities in Adobe Products Allowing Arbitrary Code Execution
Adobe released security advisories addressing multiple vulnerabilities across a range of its products, including ColdFusion, Adobe Experience Manager (AEM), DNG Software Development Kit (SDK), Acrobat, Acrobat Reader, and the Creative Cloud Desktop Application. The most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user, potentially enabling attackers to install programs, modify or delete data, or create new accounts with full user rights. Affected versions span ColdFusion 2025, 2023, and 2021, AEM Cloud Service and 6.5 LTS, DNG SDK 1.7.0 and prior, Acrobat and Acrobat Reader 2020 and 2024 for both Windows and Mac, and Creative Cloud Desktop Application 6.4.0.361 and earlier. Users and administrators are strongly encouraged to review the official advisories and apply the necessary updates to mitigate risk. Threat intelligence at the time of disclosure indicated no reports of these vulnerabilities being exploited in the wild. The advisories emphasize that users with administrative privileges are at greater risk if exploited, and recommend prompt patching to reduce exposure. Organizations relying on Adobe products for document management, web application development, or digital asset workflows should prioritize these updates to prevent potential compromise through remote code execution vulnerabilities.
1 months ago
Critical Vulnerabilities Patched in Multiple Adobe Products Allowing Arbitrary Code Execution
Adobe released urgent security updates addressing over 35 vulnerabilities across a wide range of its products, with several flaws rated as critical due to their potential to allow arbitrary code execution. The most severe vulnerabilities affect Adobe Connect, Adobe Commerce, Magento Open Source, Creative Cloud Desktop, Bridge, Animate, and other widely used applications. Among the most critical issues are two DOM-based cross-site scripting (XSS) vulnerabilities in Adobe Connect, identified as CVE-2025-49553 and CVE-2025-49552, with CVSS scores of 9.3 and 7.3 respectively. These vulnerabilities could enable attackers to execute arbitrary code on targeted systems if exploited. Additionally, a moderate-severity open redirect vulnerability (CVE-2025-54196) was also patched in Adobe Connect. The vulnerabilities were disclosed by a security researcher known as Laish (a_l), and Adobe Connect users are specifically urged to update to version 12.10 for both Windows and macOS to mitigate these risks. Adobe Commerce and Magento Open Source, both critical e-commerce platforms, were also affected by high-risk vulnerabilities that could potentially compromise online stores. Other Adobe products receiving security updates include Creative Cloud, Bridge, Animate, Experience Manager, Substance 3D Viewer, Substance 3D Modeler, FrameMaker, Illustrator, Dimension, and Substance 3D Stager. Adobe has stated that, as of the time of the advisory, there is no evidence that these vulnerabilities have been exploited in the wild. Nevertheless, the company strongly recommends that all customers apply the updates immediately to prevent potential exploitation. The vulnerabilities span a variety of attack vectors, including XSS and open redirect, which could be leveraged for code execution or phishing attacks. The breadth of affected products highlights the widespread risk to organizations relying on Adobe’s software for collaboration, content creation, and e-commerce. Security advisories from both industry groups and Adobe emphasize the urgency of patching, especially for organizations using Adobe Connect and e-commerce platforms. The updates are part of Adobe’s regular security cycle, but the critical nature of several flaws makes this release particularly important. Organizations are advised to review their deployment of Adobe products and prioritize patching based on the severity and exposure of affected systems. The disclosure and rapid patching of these vulnerabilities underscore the ongoing need for vigilance and timely software updates in enterprise environments. Adobe’s response demonstrates a coordinated effort to address security risks across its product suite. The advisories provide detailed information on affected versions and recommended mitigation steps. Security teams should monitor for any signs of attempted exploitation and ensure that all relevant systems are updated promptly. The incident serves as a reminder of the persistent threat posed by software vulnerabilities in widely deployed applications.
1 months ago