ColdFusion | Insufficiently Protected Credentials (CWE-522)
Summary
| CVE | CVE-2025-64898 |
|---|---|
| State | PUBLISHED |
| Assigner | adobe |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-12-10 00:16:10 UTC |
| Updated | 2026-06-23 21:16:54 UTC |
| Description | ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could result in limited unauthorized write access. An attacker could leverage this vulnerability to gain unauthorized access by exploiting improperly stored or transmitted credentials. Exploitation of this issue does not require user interaction. |
Risk And Classification
Primary CVSS: v3.1 5.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS: 0.003220000 probability, percentile 0.237650000 (date 2026-06-23)
Problem Types: CWE-522 | CWE-522 Insufficiently Protected Credentials (CWE-522)
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | [email protected] | Primary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
| 3.1 | CNA | CVSS | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Adobe | Coldfusion | 2021 | - | All | All |
| Application | Adobe | Coldfusion | 2021 | update1 | All | All |
| Application | Adobe | Coldfusion | 2021 | update10 | All | All |
| Application | Adobe | Coldfusion | 2021 | update11 | All | All |
| Application | Adobe | Coldfusion | 2021 | update12 | All | All |
| Application | Adobe | Coldfusion | 2021 | update13 | All | All |
| Application | Adobe | Coldfusion | 2021 | update14 | All | All |
| Application | Adobe | Coldfusion | 2021 | update15 | All | All |
| Application | Adobe | Coldfusion | 2021 | update16 | All | All |
| Application | Adobe | Coldfusion | 2021 | update17 | All | All |
| Application | Adobe | Coldfusion | 2021 | update18 | All | All |
| Application | Adobe | Coldfusion | 2021 | update19 | All | All |
| Application | Adobe | Coldfusion | 2021 | update2 | All | All |
| Application | Adobe | Coldfusion | 2021 | update20 | All | All |
| Application | Adobe | Coldfusion | 2021 | update21 | All | All |
| Application | Adobe | Coldfusion | 2021 | update22 | All | All |
| Application | Adobe | Coldfusion | 2021 | update3 | All | All |
| Application | Adobe | Coldfusion | 2021 | update4 | All | All |
| Application | Adobe | Coldfusion | 2021 | update5 | All | All |
| Application | Adobe | Coldfusion | 2021 | update6 | All | All |
| Application | Adobe | Coldfusion | 2021 | update7 | All | All |
| Application | Adobe | Coldfusion | 2021 | update8 | All | All |
| Application | Adobe | Coldfusion | 2021 | update9 | All | All |
| Application | Adobe | Coldfusion | 2023 | - | All | All |
| Application | Adobe | Coldfusion | 2023 | update1 | All | All |
| Application | Adobe | Coldfusion | 2023 | update10 | All | All |
| Application | Adobe | Coldfusion | 2023 | update11 | All | All |
| Application | Adobe | Coldfusion | 2023 | update12 | All | All |
| Application | Adobe | Coldfusion | 2023 | update13 | All | All |
| Application | Adobe | Coldfusion | 2023 | update14 | All | All |
| Application | Adobe | Coldfusion | 2023 | update15 | All | All |
| Application | Adobe | Coldfusion | 2023 | update16 | All | All |
| Application | Adobe | Coldfusion | 2023 | update2 | All | All |
| Application | Adobe | Coldfusion | 2023 | update3 | All | All |
| Application | Adobe | Coldfusion | 2023 | update4 | All | All |
| Application | Adobe | Coldfusion | 2023 | update5 | All | All |
| Application | Adobe | Coldfusion | 2023 | update6 | All | All |
| Application | Adobe | Coldfusion | 2023 | update7 | All | All |
| Application | Adobe | Coldfusion | 2023 | update8 | All | All |
| Application | Adobe | Coldfusion | 2023 | update9 | All | All |
| Application | Adobe | Coldfusion | 2025 | - | All | All |
| Application | Adobe | Coldfusion | 2025 | update1 | All | All |
| Application | Adobe | Coldfusion | 2025 | update2 | All | All |
| Application | Adobe | Coldfusion | 2025 | update3 | All | All |
| Application | Adobe | Coldfusion | 2025 | update4 | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Adobe | ColdFusion | affected 2021.22 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| helpx.adobe.com/security/products/coldfusion/apsb25-105.html | [email protected] | helpx.adobe.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.