CVE-2025-43561: 
Adobe ColdFusion vulnerability analysis and mitigation

An Incorrect Authorization vulnerability was discovered in Adobe ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier, identified as CVE-2025-43561. The vulnerability was published on May 13, 2025, and has been assigned a Critical severity rating with a CVSS v3.1 base score of 9.1. This security issue affects Adobe ColdFusion software and could potentially lead to arbitrary code execution in the context of the current user (NVD, Wiz).

The vulnerability has been classified as an Incorrect Authorization vulnerability (CWE-863) and stems from improper validation when handling crafted HTTP requests. The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high privileges required. The vulnerability does not require user interaction for exploitation, and the scope is changed (NVD, Wiz).

Successful exploitation of this vulnerability could result in arbitrary code execution in the context of the current user. Additionally, it could lead to the disclosure of sensitive information that may be used to further compromise the system. The vulnerability allows attackers to bypass authentication mechanisms and execute code (Wiz).

Adobe has released security updates to address this vulnerability through the security bulletin APSB25-52. Users are strongly advised to apply the latest updates from the vendor to mitigate the risk (Adobe Security Bulletin).