Alerts
Critical Vulnerabilities in Adobe ColdFusion and Experience Manager
16 December 2025
Adobe has released security updates addressing multiple critical vulnerabilities in Adobe ColdFusion and Adobe Experience Manager (AEM). Users and administrators are strongly advised to update to the latest versions immediately.
Background
Adobe has released security updates addressing multiple critical vulnerabilities in Adobe ColdFusion (CVE-2025-61808 and CVE-2025-61809) and Adobe Experience Manager (CVE-2025-64537 and CVE-2025-64539).
Impact
The vulnerabilities are:
CVE-2025-61808: Successful exploitation of this vulnerability could allow an attacker to perform remote code execution.
CVE-2025-61809: Successful exploitation of this improper input validation vulnerability could allow an attacker to bypass security measures and gain unauthorised read and write access.
CVE-2025-64537 and CVE-2025-64539: Successful exploitation of this DOM-based Cross-Site Scripting (XSS) vulnerability could allow an attacker to perform remote code execution.
Affected Products
The following product versions are affected by the vulnerabilities.
For CVE-2025-61808 and CVE-2025-61809:
ColdFusion 2021 - Update 22 and earlier versions
ColdFusion 2023 - Update 16 and earlier versions
ColdFusion 2025 - Update 4 and earlier versions
For CVE-2025-64537 and CVE-2025-64539:
Adobe Experience Manager (AEM) - AEM Cloud Service (CS), 6.5 LTS, 6.5.23 and earlier versions
Recommendations
Users and administrators of affected product versions are advised to update to the latest versions immediately.
References
https://helpx.adobe.com/security/products/coldfusion/apsb25-105.html
https://nvd.nist.gov/vuln/detail/CVE-2025-61808
https://nvd.nist.gov/vuln/detail/CVE-2025-61809
https://helpx.adobe.com/security/products/experience-manager/apsb25-115.html