CVE-2025-34074

An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an attacker-controlled server, which is written to the Lucee webroot and executed with the privileges of the Lucee service account. Because Lucee does not enforce integrity checks, path restrictions, or execution controls for scheduled task fetches, this feature can be abused to achieve arbitrary code execution. This issue is distinct from CVE-2024-55354.
CVSS

No CVSS.

Configurations

No configuration.

History

03 Jul 2025, 14:15

Type Values Removed Values Added
References () https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/lucee_scheduled_job.rb - () https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/lucee_scheduled_job.rb -
Summary
  • (es) Existe una vulnerabilidad de ejecución remota de código autenticada en la interfaz administrativa de Lucee debido a un diseño inseguro en la funcionalidad de tareas programadas. Un administrador con acceso a /lucee/admin/web.cfm puede configurar una tarea programada para recuperar un archivo .cfm remoto de un servidor controlado por un atacante. Este archivo se escribe en la raíz web de Lucee y se ejecuta con los privilegios de la cuenta de servicio de Lucee. Dado que Lucee no aplica comprobaciones de integridad, restricciones de ruta ni controles de ejecución para la obtención de tareas programadas, esta función puede utilizarse de forma abusiva para ejecutar código arbitrario. Este problema es distinto de CVE-2024-55354.

02 Jul 2025, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-07-02 20:15

Updated : 2025-07-03 15:13


NVD link : CVE-2025-34074

Mitre link : CVE-2025-34074

CVE.ORG link : CVE-2025-34074


JSON object : View

Products Affected

No product.

CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-829

Inclusion of Functionality from Untrusted Control Sphere