ColdFusion is a web application server and rapid development platform used for building dynamic web applications. This vulnerability allows an attacker to execute arbitrary code on your server by sending a malicious request, potentially leading to unauthorized access or data theft.
Affected versions: 2021.22 If you don't recognise this software, you're probably not affected.
Upgrade to ColdFusion 2025.4 or later from the Adobe website: https://www.adobe.com/go/coldfusion-upgrade
- Immediate mitigations:
- Restrict network access to your ColdFusion instance (firewall it from the public internet)
- Audit CFML code for suspicious patterns