CVE-2025-34074
BaseFortify
Publication date: 2025-07-02
Last updated on: 2025-07-03
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-34074 is a critical authenticated remote code execution vulnerability in the Lucee administrative interface. An attacker who has administrator access to the Lucee admin panel can create a scheduled task that fetches a malicious .cfm file from a remote server. This file is saved in the Lucee webroot and executed with the privileges of the Lucee service account. The vulnerability exists because Lucee does not enforce integrity checks, path restrictions, or execution controls on scheduled task fetches, allowing arbitrary code execution on the server. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to full remote code execution on the affected Lucee server with the privileges of the Lucee service account. An attacker can run arbitrary commands, potentially leading to data theft, system compromise, service disruption, or further lateral movement within the network. Because the exploit runs with elevated privileges, it can severely impact confidentiality, integrity, and availability of the system and its data. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve checking for unauthorized or suspicious scheduled jobs configured in the Lucee administrative interface, especially those fetching remote .cfm files. Additionally, inspecting Lucee's application and exception logs for unusual entries and looking for unexpected .cfm files in the webroot directories (e.g., C:/lucee/tomcat/webapps/ROOT/ on Windows or /opt/lucee/tomcat/webapps/ROOT/ on Linux) can help identify exploitation attempts. Since the exploit uses HTTP POST requests to /lucee/admin/web.cfm, monitoring web server logs for such requests with unusual parameters or payloads may also be effective. Using the Metasploit module (Resource 2) can help verify if the system is vulnerable by attempting an authenticated exploit in a controlled manner. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting administrative access to the Lucee interface (/lucee/admin/web.cfm) to trusted users only, enforcing strong authentication and access controls, and disabling or restricting the scheduled task functionality if not required. Monitoring and removing any suspicious scheduled jobs that fetch remote .cfm files is critical. Applying any available patches or updates from Lucee that address this vulnerability is also recommended. Additionally, reviewing and hardening file system permissions on the webroot directories to prevent unauthorized file writes can reduce risk. [1, 2]