Remote Code Execution Vulnerability in Lucee Administrative Interface
CVE-2025-34074

9.4CRITICAL

Key Information:

Vendor

Lucee Association Switzerland

Status
Lucee
Vendor
CVE Published:
2 July 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-34074?

An authenticated remote code execution vulnerability exists in Lucee's administrative interface due to insecure design in its scheduled task functionality. Administrators with access to /lucee/admin/web.cfm can create a scheduled job that retrieves a remote .cfm file from an attacker-controlled server, which is then executed with the privileges of the Lucee service account. The lack of integrity checks, path restrictions, and execution controls for scheduled task fetches allows attackers to exploit this feature to execute arbitrary code, leading to significant security risks.

Affected Version(s)

Lucee 5.x

Lucee 6.x

Lucee All versions with scheduled task functionality

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-34074 - Proof of Concept

References

https://raw.githubusercontent.com/rapid7/metasploit-frame...
exploit
https://github.com/lucee/Lucee
product
https://vulncheck.com/advisories/lucee-admin-interface-rce
third-party-advisory

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alexander Philiotis of SynerComm
.