CVE-2025-61821
MediumCVSS 6.8Exploitation Probability (EPSS)
Low risk36th percentile - higher than 36% of all known CVEs
Summary
An XXE vulnerability in ColdFusion allows unauthorized file system reads on the server. Affected versions include 2025.4, 2023.16, 2021.22 and earlier. An attacker can exploit this to access sensitive files, though exploitation depends on conditions beyond the attacker's control.
Risk Assessment
The risk involves potential leakage of confidential data such as configuration files or credentials, which could lead to further escalation. Despite exploitation constraints, the impact on organizational security is significant.
Recommendation
Immediately update ColdFusion to version 2025.5, 2023.17, or 2021.23 (or later). Additionally, restrict server access and monitor logs for suspicious XML requests.
Original NVD description (English source)
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and data on the server. Exploit depends on conditions beyond the attacker's control. Exploitation of this issue does not require user interaction and scope is changed.

