RCE via ColdFusion ARchive (CAR) Deployment: One Example of an Authenticated Attack Path in CFAdmin (CVE-2025-61808)

Introduction

In this post we'll be looking at one way that an authenticated user with only ColdFusion Administration (CFAdmin) access can achieve remote code execution; this attack scenario could be used to model a rogue CFAdmin user without full server-level access, or an external attacker who is able to obtain unauthorized access to CFAdmin and then bootstrap further escalation and access.

The CFAdmin web interface introduces a large attack surface to ColdFusion environments.  That shouldn’t be a surprise since it adds a substantial default codebase intended to provide hooks into sensitive functionality.  When performing a threat model it could be perfectly reasonable to equate a CFAdmin compromise with a full system compromise.   In many organizations, the users with CFAdmin access may also be platform system administrators – with full, direct access to the underlying operating system.  If that's the case, a malicious CFAdmin user is equivalent to a malicious system administrator, and you’re cooked either way.  

But with that said, Adobe has extended considerable effort to protect and secure CFAdmin.  From monthly security patches, to webserver connectors and connector updates, to fixing other authenticated CFAdmin exploit paths – CFAdmin has become more secure over time.  And in some environments, CFAdmin access versus full platform access are distinct access roles, prompting organizations to care about all authenticated CFAdmin exploitation vectors.

Digging Through Six Old Sandbox Escapes in ColdFusion (ca. 2001 through 2012)

Time for some vulnerability archaeology!  I'm sure you're as excited as I am.  In a previous post I covered a technique to generate precompiled Java bytecode to bypass Sandbox Security restrictions in Adobe ColdFusion (CVE-2025-30288).  And Sandbox Security was first released with ColdFusion 4 in November 1998, so it's been around for quite some time.  Perhaps reading that post made you wonder about historical sandbox escapes in ColdFusion.  If it did, then consider this post an early Christmas present. 🎁  

Speaking at DistrictCon in January 2026 on Language-Level Vulnerabilities in Adobe ColdFusion

 

I'm thrilled to be speaking at DistrictCon in late January 2026.  My talk will cover some recent language-level vulnerabilities in ColdFusion that allow attackers to control variables that they should not be able to, allowing them to control application flow.  Often to scary results.  

Sandbox Security Escapes in ColdFusion and Lucee (CVE-2025-30288 and CVE-2024-55354)

Introduction

In this post I'm going to cover the technical details of a security sandbox escape technique that affects Adobe ColdFusion and Lucee Server.  These vulnerabilities are tracked as CVE-2025-30288 and CVE-2024-55354, and were announced in April 2025.  The resulting patches changed the default way that ColdFusion handled precompiled CFML (Java bytecode) in .cfm and .cfc files.

Before we get into the technical details, it's worth noting that an attacker needs to be able to write files to the server in order to exploit the vulnerability.  As a result, this vulnerability is primarily a risk to shared hosting environments where CFML sandbox controls are in use.  (If an attacker or malicious user can write files to your single-tenant environment, you probably have bigger, more immediate security concerns beyond sandbox escapes.)

Get ready for what I hope is an interesting trip through ColdFusion internals, some Java, and other technical depths.  This was a fun one to find, explore, and exploit. 

CFCamp 2025 Slides - Understanding CFML Vulnerabilities, Exploits, and Attack Paths

 In May I had the pleasure of attending my first CFCamp, where I spoke about CFML security.

The slides from my talk -- Understanding CFML Vulnerabilities, Exploits, and Attack Paths -- are now online below.  With an added bonus of Bavaria in Springtime!

An SSRF to LFI Payload for PDF Generators (CVE-2024-34112 and beyond)

"Hola, amigos. How’s it hangin’? I know it’s been a long time since I last rapped at ya, but I've been busier than a feather plucker on nickel wing night, ya know?  You old buddy Jimbo found some discarded books out back next to the dumpster at the inconvenience store about something called 'Cold Fusion' and I've been reading through those bad boys.  Shoulda called it CON-Fusion if ya ask me.  But I've been having trouble reading the printed word and gettin' these awful headaches ever since I popped in side two of 'Hemispheres' and lit up some sweet Thai Stick I found underneath the passenger side seat of my crapbox Festiva -- that turned out to be the taquito I dropped last July after the Dane County Fair.  It just goes to show ya, yours truly can't catch a break in this world."

[ It was at this point that we decided it wouldn't be a good idea to let Mr. Anchower write the entire blog post.  We weren't wrong.   -Ed. ]

Ahem.  Quick post for today on an SSRF payload that can potentially be used for local file retrieval.  I'll be framing it in the context of CVE-2024-34112, but it could be a viable attack against any application that is doing server-side PDF generation with user-controlled data.  

An Initial Analysis of Adobe ColdFusion CVE-2024-53961

A ColdFusion security patch released two days before Christmas?  I have a feeling that may have resulted in many sysadmins shouting "Fiddlesticks!" (or perhaps another f-word) earlier today.  And on that note, may I suggest this perfect album for a little holiday cheer after the servers have been patched, the wine has been mulled, and the goose has been roasted to perfection:

Ghosts of Vulnerabilities Past?

Adobe released APSB24-107 today, which addresses one vulnerability in ColdFusion tracked as CVE-2024-53961 and described as a path traversal that could lead to file retrieval.  Based on a quick review of the corresponding patches, it appears to be a security enhancement that improves protection (and possibly remediates bypasses) against the attack vectors first addressed in APSB24-14 / CVE-2024-20767 back in March.  

BSidesLV 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction

Thank you to BSidesLV for the opportunity to speak this year.  The slides from my talk, Modern ColdFusion Exploitation and Attack Surface Reduction, are now online below.  They're pretty similar to my Summercon slides, with a few updates.