cbcvebase.
CVE-2025-34074
published 2025-07-02

CVE-2025-34074: An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An…

PriorityP262critical9.4CVSS 4.0
AVNACLATNPRHUINVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.13%
62.4th percentile
An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an attacker-controlled server, which is written to the Lucee webroot and executed with the privileges of the Lucee service account. Because Lucee does not enforce integrity checks, path restrictions, or execution controls for scheduled task fetches, this feature can be abused to achieve arbitrary code execution. This issue is distinct from CVE-2024-55354.

Detection & IOCsextracted from sources · hover to see the quote

path/lucee/admin/web.cfm
  • Monitor HTTP requests to /lucee/admin/web.cfm for authenticated sessions creating or modifying scheduled tasks, particularly those referencing external/attacker-controlled URLs for .cfm file retrieval.
  • Detect new or unexpected .cfm files written to the Lucee webroot directory, especially those fetched by the Lucee scheduler process from remote hosts.
  • Alert on outbound HTTP/HTTPS connections initiated by the Lucee service account process to external hosts, particularly fetching .cfm files — indicative of a malicious scheduled task payload retrieval.
  • On Windows, monitor for process execution under the Lucee service account spawned from the Lucee web process; on Linux, watch for unexpected commands executed as root or the 'lucee' user originating from the Lucee service.
  • ·Lucee does not enforce integrity checks, path restrictions, or execution controls on files fetched by scheduled tasks, meaning any .cfm file retrieved from a remote server will be written and executed without validation.
  • ·This vulnerability is distinct from CVE-2024-55354 and should be tracked and remediated independently.
  • ·A public Metasploit module exists for this vulnerability, lowering the bar for exploitation significantly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.