Severity
High
Analysis Summary
CVE-2025-49536 CVSS:7.3
Adobe ColdFusion could allow a remote attacker to bypass security restrictions, caused by an incorrect authorization vulnerability. By persuading a victim to open a specially crafted document, an attacker could exploit this vulnerability to bypass security measures and gain unauthorized access.
CVE-2025-49537 CVSS:7.9
Adobe ColdFusion could allow a remote attacker to execute arbitrary commands on the system, caused by an OS command injection vulnerability. By persuading a victim to open a specially crafted document, an attacker could exploit this vulnerability to execute arbitrary commands on the system with the privileges of the victim or cause the application to crash.
CVE-2025-49551 CVSS:8.8
Adobe ColdFusion could allow a remote attacker to gain elevated privileges on the system, caused by the use of hard-coded credentials. By persuading a victim to open a specially crafted document, an attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim or cause the application to crash.
CVE-2025-49538 CVSS:7.4
Adobe ColdFusion could allow a remote attacker to obtain sensitive information, caused by an XML Injection vulnerability. By injecting specially crafted XML or XPath queries, a remote attacker could exploit this vulnerability to access unauthorized files or lead to denial of service.
Impact
- Security Bypass
- Privilege Escalation
- Information Disclosure
- Gain Access
Indicators of Compromise
CVE
CVE-2025-49536
CVE-2025-49537
CVE-2025-49551
CVE-2025-49538
Affected Vendors
- Adobe
Affected Products
- Adobe ColdFusion 2021 - Update 20
- Adobe ColdFusion 2023 - Update 14
- Adobe ColdFusion 2025 - Update 2
Remediation
Refer to Adobe Security Bulletin for patch, upgrade or suggested workaround information.