CVE-2025-49537

Name of the Vulnerable Software and Affected Versions: ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier

Description: The issue is related to an Improper Neutralization of Special Elements used in an OS Command, also known as OS Command Injection, which could lead to arbitrary code execution by a high-privileged attacker. Exploitation of this issue requires user interaction and the scope is changed. The vulnerable component is restricted to internal IP addresses.

Recommendations: For ColdFusion versions 2025.2, 2023.14, and 2021.20, update to a version that contains a fix for this issue. For versions prior to 2021.20, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.