OS Command Injection Vulnerability in Adobe ColdFusion Products
CVE-2025-49537

7.9HIGH

Key Information:

Vendor

Adobe

Vendor
CVE Published:
8 July 2025

What is CVE-2025-49537?

Adobe ColdFusion versions 2025.2, 2023.14, 2021.20, and earlier versions have a vulnerability that improperly neutralizes special elements used in OS commands, potentially allowing a high-privileged attacker to execute arbitrary code. This exploitation requires user interaction and is limited to internal IP addresses, increasing the risk for users who may unknowingly trigger the vulnerability.

Affected Version(s)

ColdFusion 0 <= 2021.20

References

CVSS V3.1

Score:
7.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-49537 : OS Command Injection Vulnerability in Adobe ColdFusion Products