CVE-2025-34074

UNKNOWN 0.0

Lucee Admin Interface Authenticated Remote Code Execution via Scheduled Job File Write

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An authenticated remote code execution vulnerability exists in Lucee’s administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an attacker-controlled server, which is written to the Lucee webroot and executed with the privileges of the Lucee service account. Because Lucee does not enforce integrity checks, path restrictions, or execution controls for scheduled task fetches, this feature can be abused to achieve arbitrary code execution. This issue is distinct from CVE-2024-55354.

CWE	CWE-94 CWE-829
Vendor	lucee association switzerland
Product	lucee
Published	Jul 2, 2025
Last Updated	Mar 23, 2026

Stay Ahead of the Next One

Get instant alerts for lucee association switzerland lucee

Be the first to know when new unknown vulnerabilities affecting lucee association switzerland lucee are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Lucee Association Switzerland / Lucee

5.0 6.0 All versions with scheduled task functionality

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/lucee_scheduled_job.rb github.com: https://github.com/lucee/Lucee vulncheck.com: https://vulncheck.com/advisories/lucee-admin-interface-rce

Credits

Alexander Philiotis of SynerComm