CVE Catalog

CVE-2025-61821

MediumCVSS 6.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.45%

36th percentile - higher than 36% of all known CVEs

Summary

An XXE vulnerability in ColdFusion allows unauthorized file system reads on the server. Affected versions include 2025.4, 2023.16, 2021.22 and earlier. An attacker can exploit this to access sensitive files, though exploitation depends on conditions beyond the attacker's control.

Risk Assessment

The risk involves potential leakage of confidential data such as configuration files or credentials, which could lead to further escalation. Despite exploitation constraints, the impact on organizational security is significant.

Recommendation

Immediately update ColdFusion to version 2025.5, 2023.17, or 2021.23 (or later). Additionally, restrict server access and monitor logs for suspicious XML requests.

Original NVD description (English source)

ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and data on the server. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction and scope is changed.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS