CVE-2025-34074

CRITICAL

Lucee Admin Scheduled Task - Remote CFM File Code Execution

Title source: manual

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-34074. Includes Metasploit module exploits/multi/http/lucee_scheduled_job.

AI-analyzed exploit summary This Metasploit module exploits an authenticated RCE vulnerability in Lucee servers by creating a scheduled job that fetches and executes a malicious CFM file from an attacker-controlled server. The payload is executed with the privileges of the Lucee service account (root/lucee on Linux or a service account on Windows).

Description

An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an attacker-controlled server, which is written to the Lucee webroot and executed with the privileges of the Lucee service account. Because Lucee does not enforce integrity checks, path restrictions, or execution controls for scheduled task fetches, this feature can be abused to achieve arbitrary code execution. This issue is distinct from CVE-2024-55354.

Exploits (1)

metasploit WORKING POC EXCELLENT

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/lucee_scheduled_job.rb

View Code ZIP pw:eip

This Metasploit module exploits an authenticated RCE vulnerability in Lucee servers by creating a scheduled job that fetches and executes a malicious CFM file from an attacker-controlled server. The payload is executed with the privileges of the Lucee service account (root/lucee on Linux or a service account on Windows).

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Lucee (versions with exposed administrative interface)

Auth required

Prerequisites: Valid credentials for the Lucee administrative interface · Exposed administrative web interface · Network access to the target server

MITRE ATT&CK

T1059.007 - JavaScript T1190 - Exploit Public-Facing Application T1090 - Proxy

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Various Sources exploit

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/lucee_scheduled_job.rb

Various Sources product

https://github.com/lucee/Lucee

Third Party Advisory third-party-advisory

https://vulncheck.com/advisories/lucee-admin-interface-rce

Scores

CVSS v4 9.4

EPSS 0.0113

EPSS Percentile 62.2%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-829 CWE-94

Status published

Products (5)

Lucee Association Switzerland/Lucee 5.0

Lucee Association Switzerland/Lucee 5.x

Lucee Association Switzerland/Lucee 6.0

Lucee Association Switzerland/Lucee 6.x

Lucee Association Switzerland/Lucee All versions with scheduled task functionality

Published Jul 02, 2025

Tracked Since Feb 18, 2026