- Description
- An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an attacker-controlled server, which is written to the Lucee webroot and executed with the privileges of the Lucee service account. Because Lucee does not enforce integrity checks, path restrictions, or execution controls for scheduled task fetches, this feature can be abused to achieve arbitrary code execution. This issue is distinct from CVE-2024-55354.
- Source
- disclosure@vulncheck.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 9.4
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
- disclosure@vulncheck.com
- CWE-94
- Hype score
- Not currently trending
🚨 CRITICAL RCE in Lucee admin (CVE-2025-34074)! 5.x/6.x at risk—admins can inject code via scheduled tasks. Restrict access & monitor configs now: https://t.co/C4ZqIXaR0Y #OffSeq #Lucee #Cybersecurity https://t.co/7DJxyonvxQ
@offseq
3 Jul 2025
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-34074 Authenticated Remote Code Execution in Lucee Administrative Interface via Scheduled Task Retrieval https://t.co/7m9ecYem9x
@VulmonFeeds
2 Jul 2025
13 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes