ColdFusion Credential Exposure 2025.4 & Earlier: Unprotected Credentials
CVE-2025-64898 Published on December 9, 2025
ColdFusion | Insufficiently Protected Credentials (CWE-522)
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could result in limited unauthorized write access. An attacker could leverage this vulnerability to gain unauthorized access by exploiting improperly stored or transmitted credentials. Exploitation of this issue does not require user interaction.
Vulnerability Analysis
CVE-2025-64898 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Products Associated with CVE-2025-64898
Want to know whenever a new CVE is published for Adobe ColdFusion? stack.watch will email you.
Affected Versions
Adobe ColdFusion:- Before and including 2021.22 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.