CVE-2025-24447

high-risk

Published 2025-04-08

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user resulting in a High impact to Confidentiality and Integrity. Exploitation of this issue does not require user interaction.

Do I need to act?

28.4% chance of exploitation in next 30 days

EPSS score — higher than 72% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.1/10 Critical

NETWORK / LOW complexity

Affected Products (20)

Coldfusion

Affected Vendors

Adobe

References (1)

Vendor Advisory https://helpx.adobe.com/security/products/coldfusion/apsb25-15.html

/ 100

high-risk

Severity 31/34 · Critical

Exploitability 15/34 · Moderate

Exposure 23/34 · High