Bulletin ID
Last updated on
Apr 8, 2025
Security updates available for Adobe ColdFusion | APSB25-15
|
|
Date Published |
Priority |
|
APSB25-15 |
April 8, 2025 |
1 |
Summary
Adobe has released security updates for ColdFusion versions 2025, 2023 and 2021. These updates resolve critical and important vulnerabilities that could lead to arbitrary file system read, arbitrary code execution and security feature bypass.
Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.
Affected Versions
|
Product |
Update number |
Platform |
|
ColdFusion 2025 |
Build 331385 |
All |
|
ColdFusion 2023 |
Update 12 and earlier versions |
All |
|
ColdFusion 2021 |
Update 18 and earlier versions |
All |
Solution
Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:
Note:
See the updated serial filter documentation for more details on protection against insecure Wddx deserialization attacks https://helpx.adobe.com/coldfusion/kb/coldfusion-serialfilter-file.html
Vulnerability Details
|
Vulnerability Category |
Vulnerability Impact |
Severity |
CVSS base score |
CVE Numbers |
|
|
Improper Input Validation (CWE-20) |
Arbitrary file system read |
Critical |
9.1 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
CVE-2025-24446 |
|
Deserialization of Untrusted Data (CWE-502) |
Arbitrary code execution |
Critical |
9.1 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
CVE-2025-24447 |
|
Improper Access Control (CWE-284) |
Arbitrary file system read |
Critical |
9.1 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
CVE-2025-30281 |
|
Improper Authentication (CWE-287) |
Arbitrary code execution |
Critical |
9.1 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
CVE-2025-30282 |
|
Deserialization of Untrusted Data (CWE-502) |
Arbitrary code execution |
Critical |
8.0 |
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
CVE-2025-30284 |
|
Deserialization of Untrusted Data (CWE-502) |
Arbitrary code execution |
Critical |
8.0 |
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
CVE-2025-30285 |
|
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) |
Arbitrary code execution |
Critical |
8.0 |
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H |
CVE-2025-30286 |
|
Improper Authentication (CWE-287) |
Arbitrary code execution |
Critical |
8.1 |
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
CVE-2025-30287 |
|
Improper Access Control (CWE-284) |
Security feature bypass |
Critical |
7.8 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
CVE-2025-30288 |
|
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) |
Arbitrary code execution |
Critical |
7.5 |
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N |
CVE-2025-30289 |
|
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) |
Security feature bypass |
Critical |
8.7 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H |
CVE-2025-30290 |
|
Information Exposure (CWE-200) |
Security feature bypass |
Important |
6.2 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVE-2025-30291 |
|
Cross-site Scripting (Reflected XSS) (CWE-79) |
Arbitrary code execution |
Important |
6.1 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
CVE-2025-30292 |
|
Improper Input Validation (CWE-20) |
Security feature bypass |
Important |
6.8 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N |
CVE-2025-30293 |
|
Improper Input Validation (CWE-20) |
Security feature bypass |
Important |
6.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
CVE-2025-30294 |
Acknowledgements:
Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers:
- nbxiglk - CVE-2025-24446, CVE-2025-30281, CVE-2025-30282, CVE-2025-30284, CVE-2025-30285, CVE-2025-30286, CVE-2025-30289
- Brian Reilly (reillyb) - CVE-2025-24447, CVE-2025-30288, CVE-2025-30290, CVE-2025-30291, CVE-2025-30292, CVE-2025-30293, CVE-2025-30294
- cioier - CVE-2025-30287
NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe
Note:
Adobe recommends updating your ColdFusion JDK/JRE LTS version to the latest update release as a secure practice. The ColdFusion downloads page is regularly updated to include the latest Java installers for the JDK version your installation supports as per the matrices below.
For instructions on how to use an external JDK, view Change ColdFusion JVM.
Adobe also recommends applying the security configuration settings included in the ColdFusion Security documentation as well as review the respective Lockdown guides.
ColdFusion JDK Requirement
COLDFUSION 2025 (version 2023.0.0.331385) and above
For Application Servers
On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**; " in the respective startup file depending on the type of Application Server being used.
For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
COLDFUSION 2023 (version 2023.0.0.330468) and above
For Application Servers
On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;" in the respective startup file depending on the type of Application Server being used.
For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
COLDFUSION 2021 (version 2021.0.0.323925) and above
For Application Servers
On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;"
in the respective startup file depending on the type of Application Server being used.
For example:
Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file
WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file
WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file
Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.
For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com
