ColdFusion is a web application server software used by some organizations for building and deploying web applications. This vulnerability allows attackers to execute arbitrary code on the server, potentially leading to unauthorized access to sensitive data or system configuration.
Affected versions: 2021.22 If you don't recognise this software, you're probably not affected.
Upgrade to ColdFusion 2025.5 or later from the Adobe website: https://www.adobe.com/support/coldfusion.html
- Immediate mitigations:
* Restrict network access to your ColdFusion instance (firewall it from the public internet)
* Audit admin account activity for suspicious access patterns
* Monitor for unauthorized token creation