Critical Lucee Flaw (CVE-2025-34074, CVSS 9.4): Authenticated RCE Via Scheduled Task Abuse, Metasploit Module Out

A critical security flaw has been discovered in Lucee, the high-performance, open-source CFML (ColdFusion Markup Language) application server. Tracked as CVE-2025-34074 and carrying a CVSS score of 9.4, this vulnerability allows authenticated administrators to execute arbitrary remote code through the misuse of Lucee’s scheduled task functionality.

With support for Java integration, HTTP, ORM, and dynamic scripting, Lucee is widely used by developers to build scalable and high-speed applications—but this flexibility also introduces serious security risks if not tightly controlled.

The flaw resides in the administrative interface of Lucee, specifically in how it handles scheduled tasks. An authenticated user with access to /lucee/admin/web.cfm can configure a job to fetch a remote .cfm file (a CFML script) from an attacker-controlled server. Lucee then writes the file to its webroot and automatically executes it—with the full privileges of the Lucee server process.

“Because Lucee does not enforce integrity checks, path restrictions, or execution controls for scheduled task fetches, this feature can be abused to achieve arbitrary code execution,” reads the CVE description.

In essence, once an attacker gains admin access (via brute-force, phishing, insider compromise, or previously leaked credentials), they can easily deploy a malicious payload that compromises the entire server.

The vulnerability impacts all supported versions of Lucee with scheduled task capabilities:

• Lucee 5.x
• Lucee 6.x
• All prior versions where scheduled job functionality exists

This widespread exposure across versions makes patching and mitigations a high priority for system administrators.

To escalate matters further, a Metasploit module for this vulnerability has already been released, dramatically lowering the barrier for exploitation.

This vulnerability grants full code execution on the target server and can lead to:

• Complete system compromise
• Backdoor installation
• Credential theft or pivoting to internal networks
• Data exfiltration or destruction
• Abuse of the server for lateral movement or C2 hosting

Given that Lucee powers many enterprise and government applications, a successful exploit could lead to data breaches, operational disruptions, or even supply chain compromise.

Until a patch is issued, organizations are strongly urged to:

• Restrict access to the Lucee admin interface via IP allowlists or VPNs.
• Audit all existing scheduled tasks for suspicious remote file pulls.
• Monitor file changes in the webroot, especially for unexpected .cfm files.
• Review admin login attempts and rotate credentials.
• Apply available patches or hotfixes once released by the Lucee development team.

Administrators can also consider temporarily disabling scheduled tasks if the feature is not in active use.

Related Posts:

• Craft CMS Zero-Day CVE-2025-32432 Exploited with Metasploit Module Now Public
• Redis Servers Exploited to Deploy Metasploit Meterpreter Backdoor
• CVE-2024-31819: Critical Flaw in Popular Video Platform AVideo Could Allow Full System Takeover
• PoC Released: Windows Explorer CVE-2025-24071 Vulnerability Exposes NTLM Hashes