ColdFusion XXE Bypass

ColdFusion is a web application server used for building dynamic web applications. This vulnerability allows attackers to bypass security restrictions and access sensitive files on the server by exploiting an XML External Entity Reference (XXE) vulnerability.

Affected versions: 2021.22 If you don't recognise this software, you're probably not affected.

1. Upgrade to ColdFusion 2025.4 or later from the official DynamiApps website.
2. Immediate mitigations:
   • Restrict network access to your ColdFusion instance (firewall it from the public internet)
   • Audit admin account activity for suspicious access patterns
   • Monitor for unauthorized XXE requests

• Vendor Advisory