Adobe has released security updates addressing several critical and high-severity vulnerabilities in ColdFusion versions 2025.4, 2023.16, 2021.22, and earlier. The vulnerabilities include improper input validation, improper access control, unrestricted upload of files with dangerous types, deserialization of untrusted data, and improper restriction of XML external entity references. These flaws could allow attackers to bypass security features, gain unauthorized read and write access, execute arbitrary code, escalate privileges, and read sensitive files from the server. Most of these vulnerabilities can be exploited remotely and do not require user interaction, with some specifically requiring high-privileged access.
Adobe's security bulletin (APSB25-105) confirms that there are currently no known exploits in the wild for these issues. The company strongly recommends users update to the latest versions—ColdFusion 2025 Update 5, 2023 Update 17, and 2021 Update 23—to mitigate the risks. Additional guidance includes using the latest MySQL Java connector and reviewing updated serial filter documentation to protect against insecure deserialization attacks. Organizations using affected ColdFusion versions should prioritize patching to prevent potential exploitation of these vulnerabilities.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Adobe PSIRT disclosed CVE-2025-61808, CVE-2025-61809, CVE-2025-61810, CVE-2025-61811, CVE-2025-61812, and CVE-2025-61813, including critical file upload and input validation flaws and high-severity deserialization, access control, input validation, and XXE issues. The vulnerabilities could enable arbitrary code execution, unauthorized read/write access, or arbitrary file reads depending on the flaw.
Adobe published security advisory APSB25-105 covering multiple ColdFusion vulnerabilities affecting versions 2025.4, 2023.16, 2021.22, and earlier, and provided patched versions or update guidance.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourcecvefeed.io
Open sourcehelpx.adobe.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.