ColdFusion Vulnerability

MEDIUM (5.6) No Patch (4 days)
cwe-284adobecoldfusionrcevulnerability-controlweb-application-server

Threat Intelligence

Low Risk
EPSS Score: 0.02% chance of exploitation (percentile: 5%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

ColdFusion is a web application server and development platform used for building dynamic web applications. This vulnerability allows attackers to bypass security measures and gain limited unauthorized write access, potentially resulting in denial of service.

Am I affected?

Affected versions: 2021.22 If you don't recognise this software, you're probably not affected.

Affected Products

Adobe Systems Incorporated / ColdFusion

How to fix

To fix this vulnerability, upgrade to ColdFusion 2025.4 or later. You can download the latest version from the Adobe website: https://www.adobe.com/products/coldfusion.html. Alternatively, you can use the following command to update your ColdFusion installation:

cftestbody -v --update

Immediate mitigations:

  • Restrict network access to your ColdFusion instance (firewall it from the public internet)
  • Audit admin account activity for suspicious access patterns
  • Monitor for unauthorized token creation

References