CVE-2025-24447: 
Adobe ColdFusion vulnerability analysis and mitigation

ColdFusion versions 2023.12, 2021.18, 2025.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability identified as CVE-2025-24447. The vulnerability was discovered and disclosed on April 8, 2025, and could result in arbitrary code execution in the context of the current user. The exploitation requires user interaction, specifically requiring a victim to open a malicious file (NVD).

The vulnerability has been assigned CWE-502 (Deserialization of Untrusted Data) classification. It received a CVSS v3.1 base score of 9.1 (Critical) from Adobe Systems with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, while NIST assigned a score of 7.8 (High) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability could lead to arbitrary code execution in the context of the current user. The vulnerability affects multiple versions of ColdFusion and could potentially allow attackers to execute malicious code on affected systems (Hacker News).

Adobe has released patches to address this vulnerability. Users are advised to update to ColdFusion 2021 Update 19, ColdFusion 2023 Update 13, or ColdFusion 2025 Update 1 to mitigate the risk (Hacker News).