CVE-2025-43562: ColdFusion | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
First published: Tue May 13 2025(Updated: )
ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed.
Credit: psirt@adobe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Adobe ColdFusion | <2025.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2025-43562?
CVE-2025-43562 has a high severity rating due to the potential for arbitrary code execution.
What versions of ColdFusion are affected by CVE-2025-43562?
CVE-2025-43562 affects ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier.
How do I fix CVE-2025-43562?
To fix CVE-2025-43562, update ColdFusion to the latest version provided by Adobe.
What type of vulnerability is CVE-2025-43562?
CVE-2025-43562 is an OS Command Injection vulnerability.
What potential impact does CVE-2025-43562 have?
CVE-2025-43562 could allow an attacker to execute arbitrary code in the context of the current user.
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/weakness
- agent/first-publish-date
- agent/description
- agent/type
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/author
- agent/last-modified-date
- agent/severity
- agent/event
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/adobe
- canonical/adobe coldfusion