CVE-2025-34074

An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an attacker-controlled server, which is written to the Lucee webroot and executed with the privileges of the Lucee service account. Because Lucee does not enforce integrity checks, path restrictions, or execution controls for scheduled task fetches, this feature can be abused to achieve arbitrary code execution. This issue is distinct from CVE-2024-55354.

An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an attacker-controlled server, which is written to the Lucee webroot and executed with the privileges of the Lucee service account. Because Lucee does not enforce integrity checks, path restrictions, or execution controls for scheduled task fetches, this feature can be abused to achieve arbitrary code execution. This issue is distinct from CVE-2024-55354.

Existe una vulnerabilidad de ejecución remota de código autenticada en la interfaz administrativa de Lucee debido a un diseño inseguro en la funcionalidad de tareas programadas. Un administrador con acceso a /lucee/admin/web.cfm puede configurar una tarea programada para recuperar un archivo .cfm remoto de un servidor controlado por un atacante. Este archivo se escribe en la raíz web de Lucee y se ejecuta con los privilegios de la cuenta de servicio de Lucee. Dado que Lucee no aplica comprobaciones de integridad, restricciones de ruta ni controles de ejecución para la obtención de tareas programadas, esta función puede utilizarse de forma abusiva para ejecutar código arbitrario. Este problema es distinto de CVE-2024-55354.