CVE-2025-34074

CRITICAL

Lucee - RCE

Title source: llm

Description

An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an attacker-controlled server, which is written to the Lucee webroot and executed with the privileges of the Lucee service account. Because Lucee does not enforce integrity checks, path restrictions, or execution controls for scheduled task fetches, this feature can be abused to achieve arbitrary code execution. This issue is distinct from CVE-2024-55354.

Exploits (1)

metasploit WORKING POC EXCELLENT

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/lucee_scheduled_job.rb

View Code ZIP pw:eip

References (3)

[Various Sources] https://github.com/lucee/Lucee

[Various Sources] https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/lucee_scheduled_job.rb

[Third Party Advisory] https://vulncheck.com/advisories/lucee-admin-interface-rce

Scores

CVSS v4 9.4

EPSS 0.5733

EPSS Percentile 98.2%

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Details

CWE

CWE-829 CWE-94

Status published

Products (5)

Lucee Association Switzerland/Lucee 5.0

Lucee Association Switzerland/Lucee 5.x

Lucee Association Switzerland/Lucee 6.0

Lucee Association Switzerland/Lucee 6.x

Lucee Association Switzerland/Lucee All versions with scheduled task functionality

Published Jul 02, 2025

Tracked Since Feb 18, 2026