CVE-2025-24447

Name of the Vulnerable Software and Affected Versions: ColdFusion versions 2025.0 and earlier ColdFusion versions 2023.12 ColdFusion versions 2021.18

Description: The issue is related to a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction, where a victim must open a malicious file. The vulnerability is associated with deficiencies in the deserialization mechanism, allowing a remote attacker to execute arbitrary code.

Recommendations: For ColdFusion versions 2025.0 and earlier, update to a version that includes a fix for the Deserialization of Untrusted Data vulnerability. For ColdFusion versions 2023.12, apply the necessary security patches or updates to resolve the vulnerability. For ColdFusion versions 2021.18, consider applying configuration changes or workarounds to mitigate the risk of exploitation until a patch is available. As a temporary workaround, consider restricting the use of deserialization functions to minimize the risk of exploitation.