Sandbox Security Escapes in ColdFusion and Lucee (CVE-2025-30288 and CVE-2024-55354)

Introduction

In this post I'm going to cover the technical details of a security sandbox escape technique that affects Adobe ColdFusion and Lucee Server.  These vulnerabilities are tracked as CVE-2025-30288 and CVE-2024-55354, and were announced in April 2025.  The resulting patches changed the default way that ColdFusion handled precompiled CFML (Java bytecode) in .cfm and .cfc files.

Before we get into the technical details, it's worth noting that an attacker needs to be able to write files to the server in order to exploit the vulnerability.  As a result, this vulnerability is primarily a risk to shared hosting environments where CFML sandbox controls are in use.  (If an attacker or malicious user can write files to your single-tenant environment, you probably have bigger, more immediate security concerns beyond sandbox escapes.)

Get ready for what I hope is an interesting trip through ColdFusion internals, some Java, and other technical depths.  This was a fun one to find, explore, and exploit. 

CFCamp 2025 Slides - Understanding CFML Vulnerabilities, Exploits, and Attack Paths

 In May I had the pleasure of attending my first CFCamp, where I spoke about CFML security.

The slides from my talk -- Understanding CFML Vulnerabilities, Exploits, and Attack Paths -- are now online below.  With an added bonus of Bavaria in Springtime!

An SSRF to LFI Payload for PDF Generators (CVE-2024-34112 and beyond)

"Hola, amigos. How’s it hangin’? I know it’s been a long time since I last rapped at ya, but I've been busier than a feather plucker on nickel wing night, ya know?  You old buddy Jimbo found some discarded books out back next to the dumpster at the inconvenience store about something called 'Cold Fusion' and I've been reading through those bad boys.  Shoulda called it CON-Fusion if ya ask me.  But I've been having trouble reading the printed word and gettin' these awful headaches ever since I popped in side two of 'Hemispheres' and lit up some sweet Thai Stick I found underneath the passenger side seat of my crapbox Festiva -- that turned out to be the taquito I dropped last July after the Dane County Fair.  It just goes to show ya, yours truly can't catch a break in this world."

[ It was at this point that we decided it wouldn't be a good idea to let Mr. Anchower write the entire blog post.  We weren't wrong.   -Ed. ]

Ahem.  Quick post for today on an SSRF payload that can potentially be used for local file retrieval.  I'll be framing it in the context of CVE-2024-34112, but it could be a viable attack against any application that is doing server-side PDF generation with user-controlled data.  

An Initial Analysis of Adobe ColdFusion CVE-2024-53961

A ColdFusion security patch released two days before Christmas?  I have a feeling that may have resulted in many sysadmins shouting "Fiddlesticks!" (or perhaps another f-word) earlier today.  And on that note, may I suggest this perfect album for a little holiday cheer after the servers have been patched, the wine has been mulled, and the goose has been roasted to perfection:

Ghosts of Vulnerabilities Past?

Adobe released APSB24-107 today, which addresses one vulnerability in ColdFusion tracked as CVE-2024-53961 and described as a path traversal that could lead to file retrieval.  Based on a quick review of the corresponding patches, it appears to be a security enhancement that improves protection (and possibly remediates bypasses) against the attack vectors first addressed in APSB24-14 / CVE-2024-20767 back in March.  

BSidesLV 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction

Thank you to BSidesLV for the opportunity to speak this year.  The slides from my talk, Modern ColdFusion Exploitation and Attack Surface Reduction, are now online below.  They're pretty similar to my Summercon slides, with a few updates.

On ColdFusion Administrator Access Control Bypass Techniques

Introduction

Access Control is frequently boring but important.  It's one of the core security services defined in the OSI Security Architecture reference model.  And it's illustrative of what Erasmus and Franklin (not to mention many doctors, nutritionists, and personal trainers) had to say about preventions versus cures.  An attacker can't exploit what he can't access.

Let's pretend you're a jewel thief who wants to steal a bag of jewels locked securely in a bedroom wall safe.  Before you can get down to the art and science of safecracking, you need to get access to the safe first.  The bedroom and the wall safe are protected areas that any passing jewel thief shouldn't be able to just walk up to and start poking at.  Your path to the wall safe would likely have layered security controls -- a locked front door, motion sensors, lasers, CCTV cameras, dogs, bees, dogs with bees in their mouths and when they bark they shoot bees at you, etc. -- that may deter you or at least make your job more difficult.

Looking at CFAdmin

Think of the ColdFusion Administrator (CFAdmin) -- the web-based interface for configuring and managing your ColdFusion environment -- in the same way as that wall safe.  You want to protect and restrict access to CFAdmin as part of your security baseline.  CFAdmin components are accessible via /CFIDE/ URI paths and expose lots of functionality; most components require authentication (a local username/password, or LDAP as of ColdFusion 2023) to access, although some are accessible without authentication.  So proper access control is crucial.

Summercon 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction

Last Friday it was an absolute honor to talk about ColdFusion security at Summercon.  Summercon was the first security conference I attended and it remains my favorite after many years, as BlackHat has gotten enormous and other cons have run their course.  The slides from my talk Modern ColdFusion Exploitation and Attack Surface Reduction are below.  This talk is the result of several years of thinking about, examining, and researching the attack surface of ColdFusion from both offensive and defensive perspectives.  I'll also be giving the talk again at BSides Las Vegas next month -- with some updated slides, content, and surprises.

Bypassing Imperva SecureSphere WAF (CVE-2023-50969)

Background 

Imperva SecureSphere Web Application Firewall (WAF) is an on-premise security solution to inspect, monitor and block traffic to web applications.  Some versions of SecureSphere WAF are affected by a vulnerability that could allow an attacker to bypass WAF rules that inspect POST data and subsequently exploit flaws in protected web applications that would otherwise be blocked.