Insufficiently Protected Credentials in ColdFusion by Adobe
CVE-2025-64898

4.3MEDIUM

Key Information:

Vendor: Adobe
Status: Coldfusion
Vendor: CVE Published:; 9 December 2025

What is CVE-2025-64898?

ColdFusion versions 2025.4, 2023.16, and 2021.22, as well as earlier variants, exhibit a vulnerability that allows attackers to exploit insufficiently protected credentials. This weakness can result in limited unauthorized write access, enabling attackers to gain entry without user interaction by leveraging improperly stored or transmitted credentials. Organizations using affected versions should take immediate action to mitigate the risk.

Affected Version(s)

ColdFusion 0 <= 2021.22

References

https://helpx.adobe.com/security/products/coldfusion/apsb...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2025
Vulnerability Reserved
Nov 11, 2025

JSON