CVE-2025-30285

Name of the Vulnerable Software and Affected Versions ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier

Description The issue is related to a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security protections and execute code. Exploitation of this issue requires user interaction, where a victim must open a malicious file.

Recommendations For ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier, consider disabling the deserialization of untrusted data feature until a patch is available. As a temporary workaround, restrict access to the vulnerable ColdFusion versions to minimize the risk of exploitation. Avoid opening malicious files to prevent exploitation of this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.