Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-61810

CVE-2025-61810: Adobe ColdFusion RCE Vulnerability

CVE-2025-61810 is a deserialization of untrusted data vulnerability in Adobe ColdFusion that enables remote code execution. Attackers with high privileges can exploit this flaw to execute arbitrary code.

Published:

CVE-2025-61810 Overview

CVE-2025-61810 is a deserialization of untrusted data vulnerability [CWE-502] affecting Adobe ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier. The flaw allows a high-privileged attacker to execute arbitrary code in the context of the current user by submitting maliciously crafted serialized data to the application. Exploitation requires user interaction, and the scope is changed, meaning a successful attack can impact resources beyond the vulnerable component. Adobe addressed the issue in security bulletin APSB25-105 published in December 2025.

Critical Impact

Successful exploitation results in arbitrary code execution on the ColdFusion server, enabling attackers to compromise application data, pivot to adjacent systems, and persist within the environment.

Affected Products

  • Adobe ColdFusion 2025 (Update 4 and earlier)
  • Adobe ColdFusion 2023 (Update 16 and earlier)
  • Adobe ColdFusion 2021 (Update 22 and earlier)

Discovery Timeline

  • 2025-12-10 - CVE-2025-61810 published to the National Vulnerability Database
  • 2025-12-12 - Last updated in NVD database

Technical Details for CVE-2025-61810

Vulnerability Analysis

The vulnerability stems from unsafe handling of serialized data within Adobe ColdFusion. ColdFusion supports multiple serialization formats and processes serialized objects from request inputs, session data, and inter-component communication. When the runtime deserializes attacker-supplied data without sufficient type validation, it reconstructs object graphs that can invoke methods leading to code execution.

The attack vector is network-based, but successful exploitation requires both high privileges and user interaction. The changed scope indicates that exploitation can affect components beyond the vulnerable ColdFusion process, including the underlying operating system and other co-hosted applications. With EPSS placing the probability of exploitation at the upper end of the distribution, defenders should treat this as a near-term risk.

Root Cause

The root cause is improper validation of serialized data before object reconstruction, classified under [CWE-502] Deserialization of Untrusted Data. ColdFusion does not adequately restrict the classes that can be instantiated during deserialization, allowing gadget chains within the application classpath to trigger arbitrary method invocations. This pattern is well-known in Java-based platforms where rich object hierarchies provide usable deserialization gadgets.

Attack Vector

An authenticated attacker with high privileges crafts a malicious serialized payload and delivers it to a ColdFusion endpoint that accepts serialized input. The victim must perform an interactive action that causes the payload to be deserialized. Once the object graph is reconstructed, gadget chain execution leads to arbitrary code running in the context of the ColdFusion service account.

No public proof-of-concept exploit code is currently available. Refer to the Adobe Security Advisory APSB25-105 for vendor-supplied technical context.

Detection Methods for CVE-2025-61810

Indicators of Compromise

  • Unexpected child processes spawned from coldfusion.exe, jrun.exe, or the JVM hosting ColdFusion, particularly shells such as cmd.exe, powershell.exe, or /bin/sh.
  • New or modified .cfm, .cfc, or .jsp files in web roots, including wwwroot/CFIDE/ and custom application directories.
  • Outbound network connections from the ColdFusion service account to untrusted hosts immediately after administrative actions.
  • Anomalous entries in coldfusion-out.log or exception.log referencing deserialization errors, ObjectInputStream, or reflective class loading.

Detection Strategies

  • Monitor for process lineage where ColdFusion JVM processes spawn interactive shells or scripting interpreters, which is rarely legitimate in production.
  • Inspect HTTP request bodies and parameters for serialized Java magic bytes (ac ed 00 05) or base64-encoded variants on ColdFusion endpoints.
  • Correlate authenticated administrator sessions with subsequent file writes to web-accessible directories.

Monitoring Recommendations

  • Forward ColdFusion application, JVM, and web server logs to a centralized analytics platform for retention and correlation.
  • Alert on creation or modification of executable web content under ColdFusion document roots by the ColdFusion service account.
  • Track administrative authentication events and flag logins from new geolocations, user agents, or IP ranges.

How to Mitigate CVE-2025-61810

Immediate Actions Required

  • Apply the security updates referenced in Adobe Security Advisory APSB25-105 to upgrade to fixed ColdFusion releases.
  • Restrict administrative access to ColdFusion to a small set of named accounts and require multi-factor authentication on those accounts.
  • Place the ColdFusion Administrator interface behind network access controls so it is not reachable from the public internet.
  • Audit existing administrator and high-privileged accounts for unauthorized activity since the last patch cycle.

Patch Information

Adobe released fixed versions for all supported ColdFusion trains. Administrators should install the cumulative updates published in APSB25-105 for ColdFusion 2025, 2023, and 2021. The advisory provides direct download links and applicability matrices for each affected update level.

Workarounds

  • Run the ColdFusion service under a dedicated low-privileged account to limit the impact of code execution.
  • Apply the ColdFusion serial filter (coldfusion.serialfilter.path) to allowlist only required classes for deserialization.
  • Disable or block unused ColdFusion endpoints and components that accept serialized input from the network.
bash
# Example: enforce a deserialization allowlist via JVM arguments in jvm.config
# Edit <cf_root>/cfusion/bin/jvm.config and append to java.args:
-Dcoldfusion.serialfilter.path=/opt/coldfusion/lib/serialfilter.txt

# serialfilter.txt content (allowlist required classes, reject everything else)
java.lang.*;java.util.*;!*

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne