ColdFusion versions 2025.9, 2023.20, and earlier contain a path traversal flaw (CWE-22) that can give an attacker the ability to read any file on the file system and to modify a restricted set of files. This weakness could be used to expose confidential configuration data, alter application logic, or undermine the integrity of the system. The flaw is classified as an improper limitation of a pathname to a restricted directory, and the CVSS score of 9.3 indicates a severe impact. Based on the description, it is inferred that the attacker does not need user interaction to exploit the vulnerability; a crafted request sent to the ColdFusion application is sufficient to trigger the flaw.

The affected products are Adobe ColdFusion, specifically releases 2025.9, 2023.20, and all earlier versions. Any system running these versions and not updated to a fixed release is susceptible to the path traversal attack.

The vulnerability carries a CVSS score of 9.3, and its EPSS score is not available, yet the lack of user interaction and the remote nature of the attack mean that exploitation can occur over the Web with minimal effort. The issue is not listed in CISA's KEV catalog, but the scope change indicates that components beyond the originating context can be affected, raising the overall risk. The likely attack vector, based on the description, is a remote web-based attack where an attacker supplies a specially crafted path in a ColdFusion request to read or write unauthorized files.