Adobe ColdFusion Critical Vulnerabilities Fix: RCE, File Read, Auth Bypass (CVE-2025-30466, 30444, 30288, 30286, 30287)

### Critical Vulnerability Information #### Vulnerability Overview - **Advisory ID**: APSB25-15 - **Release Date**: April 8, 2025 - **Priority**: 1 Adobe has released security updates for ColdFusion 2025, 2023, and 2021 versions, addressing critical and important vulnerabilities that could lead to arbitrary file system read, arbitrary code execution, and security feature bypass. #### Affected Versions | Product | Update Number | Platform | |----------------|---------------------|----------| | ColdFusion 2025 | Build 331385 | All | | ColdFusion 2023 | Update 12 and earlier | All | | ColdFusion 2021 | Update 18 and earlier | All | #### Remediation Adobe recommends users install the latest updates: | Product | Update Version | Platform | Priority Rating | Availability | |----------------|----------------|----------|------------------|--------------| | ColdFusion 2025 | Update 1 | All | 1 | Tech Note | | ColdFusion 2023 | Update 13 | All | 1 | Tech Note | | ColdFusion 2021 | Update 19 | All | 1 | Tech Note | #### Vulnerability Details | Vulnerability Category | Impact | Severity | CVSS Base Score | CVSS Vector | CVE ID | |------------------------------------------|----------------------------|----------|-----------------|------------------------------------------------------------------------------|--------------| | Improper Input Validation (CWE-20) | Arbitrary File System Read | Critical | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CVE-2025-30466 | | Deserialization of Untrusted Data (CWE-502) | Arbitrary Code Execution | Critical | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CVE-2025-30444 | | Improper Access Control (CWE-284) | Arbitrary File System Read | Critical | 9.3 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CVE-2025-30288 | | Improper Authentication (CWE-287) | Arbitrary Code Execution | Critical | 9.1 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CVE-2025-30286 | | Deserialization of Untrusted Data (CWE-502) | Arbitrary Code Execution | High | 8.0 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N | CVE-2025-30287 | | Improper Neutralization of Special Elements in OS Commands (CWE-78) | Arbitrary Code Execution | Critical | 8.0 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N | CVE-2025-30289 | | Improper Authentication (CWE-287) | Arbitrary Code Execution | Critical | 8.1 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CVE-2025-30288 | | Improper Access Control (CWE-284) | Security Feature Bypass | High | 7.8 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CVE-2025-30288 | | Improper Neutralization of Special Elements in OS Commands (CWE-78) | Arbitrary Code Execution | Critical | 7.5 | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N | CVE-2025-30289 | | Pathname Restrictions to Restricted Directories (CWE-22) | Security Feature Bypass | Critical | 8.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | CVE-2025-30290 | | Information Exposure (CWE-200) | Security Feature Bypass | High | 6.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H | CVE-2025-30291 | | Cross-site Scripting (Reflected) (CWE-79) | Arbitrary Code Execution | High | 6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CVE-2025-30292 | | Improper Input Validation (CWE-20) | Security Feature Bypass | High | 6.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:H | CVE-2025-30290 | | Improper Input Validation (CWE-20) | Security Feature Bypass | High | 6.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/H/I:N/A:H | CVE-2025-30291 | #### Acknowledgments Adobe thanks the following researchers for reporting these issues and helping protect customers: - Brian Reilly (wellyb) - ciscoer - CVE-2025-30288 ``` This information provides detailed descriptions of the vulnerabilities, affected versions, remediation steps, and CVSS scores and CVE IDs for each vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

Adobe ColdFusion Critical Vulnerabilities Fix: RCE, File Read, Auth Bypass (CVE-2025-30466, 30444, 30288, 30286, 30287)