CVE-2025-34074 is a critical vulnerability in the Lucee web application server, specifically within its administrative interface's scheduled task functionality. Lucee allows administrators to schedule tasks that can fetch remote .cfm files and execute them. Due to a design flaw, Lucee does not enforce integrity checks, path restrictions, or execution controls on these scheduled task fetches. An attacker with administrative access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a malicious .cfm file hosted on an attacker-controlled server. This file is then written to the Lucee webroot and executed with the privileges of the Lucee service account, enabling arbitrary code execution on the server. The vulnerability leverages improper control over code generation (CWE-94) and inclusion of functionality from an untrusted control sphere (CWE-829). The flaw affects all versions of Lucee with scheduled task functionality, including versions 5.0 and 6.0. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no user interaction, and high privileges required, with high impact on confidentiality, integrity, and availability. Although no public exploits are known yet, the vulnerability's critical severity and ease of exploitation by an authenticated admin make it a significant risk. This issue is separate from CVE-2024-55354, indicating a distinct attack surface. The lack of patch links suggests a fix may be pending or not yet publicly available.

The vulnerability enables an attacker with administrative access to execute arbitrary code on the Lucee server with the privileges of the Lucee service account. This can lead to full system compromise, including data theft, service disruption, and lateral movement within the network. Because the malicious code executes with service-level privileges, attackers can manipulate application data, deploy backdoors, or pivot to other systems. The absence of integrity checks and path restrictions increases the risk of persistent compromise. Organizations relying on Lucee for web applications, especially those exposing administrative interfaces, face risks of data breaches, service outages, and reputational damage. The critical CVSS score reflects the potential for widespread impact if exploited in production environments. The requirement for administrative access limits exploitation to insiders or attackers who have already compromised admin credentials, but once accessed, the attack surface is severe. The vulnerability could be leveraged in targeted attacks against organizations using Lucee in sectors such as finance, government, healthcare, and e-commerce.

To mitigate CVE-2025-34074, organizations should immediately restrict access to the Lucee administrative interface (/lucee/admin/web.cfm) using network-level controls such as VPNs, IP whitelisting, or firewalls to limit admin access to trusted personnel only. Enforce strong multi-factor authentication for all administrative accounts to reduce the risk of credential compromise. Disable or restrict scheduled task functionality if not required, or audit all scheduled tasks for suspicious remote fetch configurations. Monitor logs for unusual scheduled task creations or executions that fetch remote .cfm files. Implement application-layer controls to validate and restrict the sources of scheduled task fetches, if possible. Apply the official security patches from Lucee Association Switzerland as soon as they become available. In the interim, consider deploying web application firewalls (WAFs) with custom rules to detect and block attempts to create or execute malicious scheduled tasks. Conduct regular security audits and penetration tests focusing on administrative interfaces and scheduled task configurations. Educate administrators on the risks of scheduling tasks that fetch remote code and enforce policies to prevent unsafe configurations.