Hi Team,
Do we have any recent patch for CVE-2025-34074 security vulnerability ?
Does this affect recent Lucee version and if yes may I know what are the affected versions?
Well, this CVE requires authenticated admin access?
“Dave has the root password to the server and did something! OMG CVE!”
https://www.cve.org/CVERecord?id=CVE-2025-3407
Admin should be disabled / locked down on production, as per the lockdown guide
4
1 Like
Hi Zackster,
Thank you so much for your guidance. Would it be safe to proceed with locking down the Lucee server as per the guide, and will that adequately protect against CVE-2025-34074? I really appreciate your expertise on this.
it would be unsafe not to be locking down your admin properly!
LUCEE_ADMIN_ENABLED=false
Also, for any security researchers reading this, please follow best practice and contact the Lucee team first via security@lucee.org
2 Likes
Do you even have any scheduled jobs that retrieve a remote .cfm?