ColdFusion XXE Bypass

MEDIUM (6.2) No Patch (4 days)
cwe-611arbitrary-file-system-readcoldfusionmedium-risk-vulnerabilityserver-side-scriptingxml-external-entity-referencexxe-bypass

Threat Intelligence

Low Risk
EPSS Score: 0.07% chance of exploitation (percentile: 22%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

ColdFusion is a server-side scripting and application development platform. This vulnerability allows attackers to bypass security restrictions on XML external entity references ('XXE'), potentially leading to arbitrary file system reads. A successful exploit could grant access to sensitive files and data on the server.

Am I affected?

Affected versions: 2021.22 If you don't recognise this software, you're probably not affected.

Affected Products

Adobe / ColdFusion

How to fix

To fix this vulnerability:

  1. Upgrade to ColdFusion 2025.4 or later.
    • Download from: https://www.adobe.com/support/coldfusion.html
  2. Immediate mitigations:
    • Restrict network access to your ColdFusion instance (firewall it from the public internet)
    • Audit admin account activity for suspicious access patterns
    • Monitor for unauthorized token creation

References