Remote Code Execution Vulnerability in Lucee Administrative Interface
CVE-2025-34074
Key Information:
- Status
- Vendor
- CVE Published:
- 2 July 2025
Badges
What is CVE-2025-34074?
An authenticated remote code execution vulnerability exists in Lucee's administrative interface due to insecure design in its scheduled task functionality. Administrators with access to /lucee/admin/web.cfm can create a scheduled job that retrieves a remote .cfm file from an attacker-controlled server, which is then executed with the privileges of the Lucee service account. The lack of integrity checks, path restrictions, and execution controls for scheduled task fetches allows attackers to exploit this feature to execute arbitrary code, leading to significant security risks.
Affected Version(s)
Lucee 5.x
Lucee 6.x
Lucee All versions with scheduled task functionality
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved