ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier suffer from an Insufficiently Protected Credentials flaw that allows an attacker to obtain limited write privileges on the affected system. The weakness permits exploitation without the need for user interaction and is rooted in improperly stored or transmitted credentials (CWE-522). If successfully leveraged, an attacker could modify or add data, potentially altering application behavior or injecting malicious artifacts while remaining at the lower privilege level granted by the exposed credentials.

The affected products are Adobe ColdFusion, specifically versions 2025.4, 2023.16, 2021.22 and all earlier releases across the 2021, 2023 and 2025 product lines. Administrators should identify installations that fall into these version ranges and assess whether they are still in use.

The CVSS score of 4.3 indicates medium severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, which further reduces its threat profile. Attackers do not need user interaction, therefore the likely attack vector is a non-interactive remote or local exploitation path, inferred from the description that no user interaction is required. As a result, the risk is moderate, with potential impact limited to unauthorized write operations rather than full system compromise.