The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-34074

CVE-2025-34074: Lucee Administrative Interface RCE Flaw

CVE-2025-34074 is an authenticated remote code execution vulnerability in Lucee's administrative interface that allows administrators to execute arbitrary code via scheduled task abuse. This article covers the details.

Published: March 31, 2026

CVE-2025-34074 Overview

An authenticated remote code execution vulnerability exists in Lucee's administrative interface due to an insecure design flaw in the scheduled task functionality. This vulnerability allows an attacker with administrative access to configure a scheduled job that retrieves a malicious .cfm file from an attacker-controlled server, writes it to the Lucee webroot, and executes it with the privileges of the Lucee service account. The lack of integrity checks, path restrictions, or execution controls for scheduled task fetches makes this feature susceptible to abuse for arbitrary code execution.

Critical Impact

Authenticated attackers can achieve full remote code execution on systems running Lucee by exploiting the scheduled task feature to deploy and execute malicious ColdFusion Markup (CFM) files.

Affected Products

  • Lucee CFML Engine (versions with vulnerable scheduled task functionality)
  • Lucee Administrative Web Interface (/lucee/admin/web.cfm)

Discovery Timeline

  • 2025-07-02 - CVE-2025-34074 published to NVD
  • 2025-07-03 - Last updated in NVD database

Technical Details for CVE-2025-34074

Vulnerability Analysis

This vulnerability stems from a design weakness in how Lucee handles scheduled tasks within its administrative interface (CWE-94: Code Injection). The scheduled task feature is intended to allow administrators to automate recurring operations, including fetching remote resources. However, the implementation fails to enforce critical security controls that would prevent abuse.

When an administrator configures a scheduled job to fetch a remote file, Lucee does not validate the source, verify the integrity of the retrieved content, restrict the destination path, or prevent execution of fetched files. This allows an attacker who has compromised or obtained administrative credentials to weaponize this legitimate feature for malicious purposes.

The attack requires authenticated access to the Lucee administrative panel, but once that access is obtained, exploitation is straightforward. A Metasploit module already exists for this vulnerability, indicating that exploitation is well-documented and accessible to attackers with moderate skill levels.

Root Cause

The root cause is the absence of security controls in Lucee's scheduled task implementation. Specifically:

  1. No Source Validation: Lucee accepts URLs from any external server without verification
  2. No Integrity Checks: Retrieved files are not validated against checksums or signatures
  3. No Path Restrictions: Files can be written directly to the webroot directory
  4. No Execution Prevention: Downloaded .cfm files are immediately executable by the Lucee engine

This represents a classic "insecure by design" pattern where powerful administrative functionality lacks appropriate safeguards.

Attack Vector

The attack is network-based and requires authenticated access to the Lucee administrative interface. The exploitation workflow involves:

  1. Initial Access: Attacker gains credentials to /lucee/admin/web.cfm through credential theft, brute force, or default credentials
  2. Malicious Server Setup: Attacker hosts a malicious .cfm payload on an attacker-controlled web server
  3. Scheduled Task Creation: Attacker creates a scheduled job configured to fetch the remote payload and save it to the Lucee webroot
  4. Task Execution: The scheduled task runs (either immediately or on schedule), downloading the malicious file
  5. Payload Execution: Attacker requests the downloaded .cfm file via HTTP, triggering code execution with Lucee service account privileges

The vulnerability is network-exploitable with no user interaction required beyond the initial authentication, enabling attackers to establish persistent access or pivot to other systems on the network.

Detection Methods for CVE-2025-34074

Indicators of Compromise

  • Unexpected .cfm files appearing in the Lucee webroot directory
  • Scheduled tasks configured to fetch files from external or unknown URLs
  • HTTP requests to newly created .cfm files from external IP addresses
  • Lucee service account executing suspicious commands or spawning unexpected child processes
  • Network connections from the Lucee server to unusual external hosts

Detection Strategies

  • Monitor Lucee administrative interface access logs for scheduled task creation or modification events
  • Implement file integrity monitoring on the Lucee webroot directory to detect unauthorized file additions
  • Deploy network monitoring to identify outbound connections from the Lucee server to unknown external hosts
  • Alert on the creation of new scheduled tasks, especially those targeting external URLs

Monitoring Recommendations

  • Enable verbose logging for the Lucee administrative interface and scheduled task subsystem
  • Configure SIEM rules to correlate administrative logins with subsequent scheduled task changes
  • Monitor for web shell indicators such as command execution functions in newly created files
  • Implement egress filtering to restrict which external hosts the Lucee server can communicate with

How to Mitigate CVE-2025-34074

Immediate Actions Required

  • Audit all existing scheduled tasks in Lucee for suspicious remote URL configurations
  • Review administrative account credentials and enforce strong, unique passwords
  • Restrict network access to the Lucee administrative interface (/lucee/admin/) to trusted management networks only
  • Implement multi-factor authentication for administrative access where possible
  • Consider disabling the scheduled task feature entirely if not required for business operations

Patch Information

Consult the Lucee GitHub repository for the latest security updates and patches addressing this vulnerability. Review the VulnCheck Advisory for Lucee RCE for specific remediation guidance. Note that this issue is distinct from CVE-2024-55354 and may require separate patching.

Workarounds

  • Restrict access to /lucee/admin/ endpoints at the web server or load balancer level using IP allowlists
  • Implement egress filtering on the Lucee server to block outbound HTTP/HTTPS connections to unauthorized destinations
  • Deploy a web application firewall (WAF) to monitor and block suspicious administrative actions
  • Run Lucee with a low-privilege service account to limit the impact of successful exploitation
  • Consider placing the administrative interface on a separate, isolated network segment

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechLucee
  • SeverityCRITICAL
  • CVSS Score9.4
  • EPSS Probability57.33%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-94
  • Technical References
  • GitHub Lucee Repository
  • Metasploit Exploit Module
  • VulnCheck Advisory for Lucee RCE
  • Related CVEs
  • CVE-2021-21307: Lucee Server RCE Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English