Improper Restriction of XML External Entity Reference in Adobe ColdFusion
CVE-2025-49539

4.5MEDIUM

Key Information:

Vendor: Adobe
Status: Coldfusion
Vendor: CVE Published:; 8 July 2025

What is CVE-2025-49539?

Adobe ColdFusion versions 2025.2, 2023.14, 2021.20, and earlier are susceptible to an Improper Restriction of XML External Entity Reference (XXE) vulnerability. This flaw allows an attacker with high privileges to bypass security features and potentially access sensitive information without any user interaction. The issue is confined to internal IP addresses, posing significant risk if exploited.

Affected Version(s)

ColdFusion 0 <= 2021.20

References

https://helpx.adobe.com/security/products/coldfusion/apsb...

vendor-advisory

CVSS V3.1

Score:

4.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 8, 2025
Vulnerability Reserved
Jun 6, 2025