CVE-2025-34074

Name of the Vulnerable Software and Affected Versions: Lucee versions 5.x through 6.x

Description: An authenticated remote code execution issue exists in Lucee's administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an attacker-controlled server, which is written to the Lucee webroot and executed with the privileges of the Lucee service account. Because Lucee does not enforce integrity checks, path restrictions, or execution controls for scheduled task fetches, this feature can be abused to achieve arbitrary code execution.

Recommendations: For Lucee versions 5.x through 6.x, restrict access to the scheduled task functionality and monitor configurations to minimize the risk of exploitation. As a temporary workaround, consider disabling the scheduled task feature until a patch is available. Avoid using the scheduled task functionality to retrieve remote files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.