CVE-2025-49537

CWE-78OS Command Injection3 documents3 sources
Severity
7.9HIGH
EPSS
0.1%
top 81.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Adobe Coldfusion
Timeline
PublishedJul 8

Description

ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary code execution by a high-privileged attacker. Exploitation of this issue requires user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:HExploitability: 1.2 | Impact: 6.0

Affected Packages2 packages

CVEListV5adobe/coldfusion2021.20
NVDadobe/coldfusion2021, 2023, 2025+2

🔴Vulnerability Details

2
GHSA
GHSA-hf72-6m3v-v4jh: ColdFusion versions 20252025-07-08
CVEList
ColdFusion | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)2025-07-08