CVE-2025-49546 (GCVE-0-2025-49546)

Vulnerability from cvelistv5 – Published: 2025-07-08 20:49 – Updated: 2025-07-14 20:53
VLAI?
Summary
ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Access Control vulnerability that could lead to a partial application denial-of-service. A high-privileged attacker could exploit this vulnerability to partially disrupt the availability of the application. Exploitation of this issue does not require user interaction and scope is unchanged. The vulnerable component is restricted to internal IP addresses.
Severity ?
2.4 (Low)
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
CWE
  • CWE-284 - Improper Access Control (CWE-284)
Assigner
References
Impacted products
Vendor Product Version
Adobe ColdFusion Affected: 0 , ≤ 2021.20 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49546",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-09T13:46:12.215872Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-09T16:06:11.332Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "ColdFusion",
          "vendor": "Adobe",
          "versions": [
            {
              "lessThanOrEqual": "2021.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2025-07-08T17:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Access Control vulnerability that could lead to a partial application denial-of-service. A high-privileged attacker could exploit this vulnerability to partially disrupt the availability of the application. Exploitation of this issue does not require user interaction and scope is unchanged. The vulnerable component is restricted to internal IP addresses."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "availabilityRequirement": "NOT_DEFINED",
            "baseScore": 2.4,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "confidentialityRequirement": "NOT_DEFINED",
            "environmentalScore": 2.4,
            "environmentalSeverity": "LOW",
            "exploitCodeMaturity": "NOT_DEFINED",
            "integrityImpact": "NONE",
            "integrityRequirement": "NOT_DEFINED",
            "modifiedAttackComplexity": "LOW",
            "modifiedAttackVector": "ADJACENT_NETWORK",
            "modifiedAvailabilityImpact": "LOW",
            "modifiedConfidentialityImpact": "NONE",
            "modifiedIntegrityImpact": "NONE",
            "modifiedPrivilegesRequired": "HIGH",
            "modifiedScope": "UNCHANGED",
            "modifiedUserInteraction": "NONE",
            "privilegesRequired": "HIGH",
            "remediationLevel": "NOT_DEFINED",
            "reportConfidence": "NOT_DEFINED",
            "scope": "UNCHANGED",
            "temporalScore": 2.4,
            "temporalSeverity": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "Improper Access Control (CWE-284)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-14T20:53:48.403Z",
        "orgId": "078d4453-3bcd-4900-85e6-15281da43538",
        "shortName": "adobe"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "ColdFusion | Improper Access Control (CWE-284)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538",
    "assignerShortName": "adobe",
    "cveId": "CVE-2025-49546",
    "datePublished": "2025-07-08T20:49:33.560Z",
    "dateReserved": "2025-06-06T15:42:09.516Z",
    "dateUpdated": "2025-07-14T20:53:48.403Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-49546\",\"sourceIdentifier\":\"psirt@adobe.com\",\"published\":\"2025-07-08T21:15:27.820\",\"lastModified\":\"2025-07-15T18:40:27.650\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Access Control vulnerability that could lead to a partial application denial-of-service. A high-privileged attacker could exploit this vulnerability to partially disrupt the availability of the application. Exploitation of this issue does not require user interaction and scope is unchanged. The vulnerable component is restricted to internal IP addresses.\"},{\"lang\":\"es\",\"value\":\"Las versiones 2025.2, 2023.14, 2021.20 y anteriores de ColdFusion se ven afectadas por una vulnerabilidad de control de acceso inadecuado que podr\u00eda provocar una denegaci\u00f3n de servicio (DSP) en la aplicaci\u00f3n. Un atacante con privilegios elevados podr\u00eda explotar esta vulnerabilidad para interrumpir la disponibilidad de la aplicaci\u00f3n. La explotaci\u00f3n de este problema no requiere la interacci\u00f3n del usuario y su alcance no var\u00eda. El componente vulnerable se limita a direcciones IP internas.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@adobe.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":2.4,\"baseSeverity\":\"LOW\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":2.4,\"baseSeverity\":\"LOW\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":0.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"psirt@adobe.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-284\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"7A94B406-C011-4673-8C2B-0DD94D46CC4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:*\",\"matchCriteriaId\":\"AFD05E3A-10F9-4C75-9710-BA46B66FF6E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update10:*:*:*:*:*:*\",\"matchCriteriaId\":\"F1FC7D1D-6DD2-48B2-980F-B001B0F24473\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update11:*:*:*:*:*:*\",\"matchCriteriaId\":\"1FA19E1D-61C2-4640-AF06-4BCFE750BDF3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update12:*:*:*:*:*:*\",\"matchCriteriaId\":\"3F331DEA-F3D0-4B13-AB1E-6FE39B2BB55D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update13:*:*:*:*:*:*\",\"matchCriteriaId\":\"63D5CF84-4B0D-48AE-95D6-262AEA2FFDE8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update14:*:*:*:*:*:*\",\"matchCriteriaId\":\"10616A3A-0C1C-474A-BD7D-A2A5BB870F74\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update15:*:*:*:*:*:*\",\"matchCriteriaId\":\"D7DA523E-1D9B-45FD-94D9-D4F9F2B9296B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update16:*:*:*:*:*:*\",\"matchCriteriaId\":\"151AFF8B-F05C-4D27-85FC-DF88E9C11BEA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update17:*:*:*:*:*:*\",\"matchCriteriaId\":\"53A0E245-2915-4DFF-AFB5-A12F5C435702\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update18:*:*:*:*:*:*\",\"matchCriteriaId\":\"C5653D18-7534-48A3-819F-9F049A418F99\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update19:*:*:*:*:*:*\",\"matchCriteriaId\":\"BABC6468-A780-4080-A930-4125D1B39C51\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:*\",\"matchCriteriaId\":\"D57C8681-AC68-47DF-A61E-B5C4B4A47663\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update20:*:*:*:*:*:*\",\"matchCriteriaId\":\"F58633C9-E957-46B7-8F5B-B060A8726E33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:*\",\"matchCriteriaId\":\"75608383-B727-48D6-8FFA-D552A338A562\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:*\",\"matchCriteriaId\":\"7773DB68-414A-4BA9-960F-52471A784379\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B38B9E86-BCD5-4BCA-8FB7-EC55905184E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update6:*:*:*:*:*:*\",\"matchCriteriaId\":\"5E7BAB80-8455-4570-A2A2-8F40469EE9CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update7:*:*:*:*:*:*\",\"matchCriteriaId\":\"F9D645A2-E02D-4E82-A2BD-0A7DE5B8FBCC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update8:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E22D701-B038-4795-AA32-A18BC93C2B6F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2021:update9:*:*:*:*:*:*\",\"matchCriteriaId\":\"CAC4A0EC-C3FC-47D8-86CE-0E6A87A7F0B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"B02A37FE-5D31-4892-A3E6-156A8FE62D28\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*\",\"matchCriteriaId\":\"0AA3D302-CFEE-4DFD-AB92-F53C87721BFF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:*\",\"matchCriteriaId\":\"645D1B5F-2DAB-4AB8-A465-AC37FF494F95\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:*\",\"matchCriteriaId\":\"ED6D8996-0770-4C9F-BEA5-87EA479D40A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:*\",\"matchCriteriaId\":\"4836086E-3D4A-4A07-A372-382D385CB490\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update13:*:*:*:*:*:*\",\"matchCriteriaId\":\"CBC19168-4184-4B59-B9C8-E98844124EED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update14:*:*:*:*:*:*\",\"matchCriteriaId\":\"A60DCD92-9A5B-411C-9554-642C91D77FAE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB88D4FE-5496-4639-BAF2-9F29F24ABF29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*\",\"matchCriteriaId\":\"43E0ED98-2C1F-40B8-AF60-FEB1D85619C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*\",\"matchCriteriaId\":\"76204873-C6E0-4202-8A03-0773270F1802\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*\",\"matchCriteriaId\":\"C1A22BE9-0D47-4BA8-8BDB-9B12D7A0F7C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3A83642-BF14-4C37-BD94-FA76AABE8ADC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:*\",\"matchCriteriaId\":\"A892E1DC-F2C8-4F53-8580-A2D1BEED5A25\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:*\",\"matchCriteriaId\":\"DB97ADBA-C1A9-4EE0-9509-68CB12358AE5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:*\",\"matchCriteriaId\":\"E17C38F0-9B0F-4433-9CBD-6E3D63EA9BDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2025:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"30779417-D4E5-4A01-BE0E-1CE1D134292A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2025:update1:*:*:*:*:*:*\",\"matchCriteriaId\":\"80D7FC6A-F264-4CB1-A18D-B091EBA47882\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:adobe:coldfusion:2025:update2:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3DA0D20-93BA-4C76-A400-159853CD7277\"}]}]}],\"references\":[{\"url\":\"https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html\",\"source\":\"psirt@adobe.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-49546\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-09T13:46:12.215872Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-09T13:49:06.691Z\"}}], \"cna\": {\"title\": \"ColdFusion | Improper Access Control (CWE-284)\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 2.4, \"attackVector\": \"ADJACENT_NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L\", \"modifiedScope\": \"UNCHANGED\", \"temporalScore\": 2.4, \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"remediationLevel\": \"NOT_DEFINED\", \"reportConfidence\": \"NOT_DEFINED\", \"temporalSeverity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"environmentalScore\": 2.4, \"privilegesRequired\": \"HIGH\", \"exploitCodeMaturity\": \"NOT_DEFINED\", \"integrityRequirement\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"ADJACENT_NETWORK\", \"confidentialityImpact\": \"NONE\", \"environmentalSeverity\": \"LOW\", \"availabilityRequirement\": \"NOT_DEFINED\", \"modifiedIntegrityImpact\": \"NONE\", \"modifiedUserInteraction\": \"NONE\", \"modifiedAttackComplexity\": \"LOW\", \"confidentialityRequirement\": \"NOT_DEFINED\", \"modifiedAvailabilityImpact\": \"LOW\", \"modifiedPrivilegesRequired\": \"HIGH\", \"modifiedConfidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Adobe\", \"product\": \"ColdFusion\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2021.20\"}], \"defaultStatus\": \"affected\"}], \"datePublic\": \"2025-07-08T17:00:00.000Z\", \"references\": [{\"url\": \"https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html\", \"tags\": [\"vendor-advisory\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Access Control vulnerability that could lead to a partial application denial-of-service. A high-privileged attacker could exploit this vulnerability to partially disrupt the availability of the application. Exploitation of this issue does not require user interaction and scope is unchanged. The vulnerable component is restricted to internal IP addresses.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-284\", \"description\": \"Improper Access Control (CWE-284)\"}]}], \"providerMetadata\": {\"orgId\": \"078d4453-3bcd-4900-85e6-15281da43538\", \"shortName\": \"adobe\", \"dateUpdated\": \"2025-07-14T20:53:48.403Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-49546\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-14T20:53:48.403Z\", \"dateReserved\": \"2025-06-06T15:42:09.516Z\", \"assignerOrgId\": \"078d4453-3bcd-4900-85e6-15281da43538\", \"datePublished\": \"2025-07-08T20:49:33.560Z\", \"assignerShortName\": \"adobe\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.