We are pleased to announce that we have released the updates for the following ColdFusion versions:
In this release, we’ve addressed some security vulnerabilities and added the following jvm flags to that effect.
-
-Dcoldfusion.cfclient.enable=true/false
-
-Dcoldfusion.cfclient.allowNonCfc=true/false
For more information, see the tech notes below:
These updates fix security vulnerabilities that are mentioned in the security bulletin, APSB23-25.
The Docker images will be hosted shortly on Docker Hub.
Please update your ColdFusion versions and provide us with your valuable feedback.
I’ve finally gotten done the blog post I had planned on this update and the vuln/hack, including what could happen, what to do about it, and lots more.
To folks reading this: I will say that in my own opinion this security fix is far more important than the wording of this blog post suggests and even that the update technotes would suggest. To be clear, I HAVE personally seen both the “ arbitrary code execution” and “arbitrary file system read” vulnerabilities having been perpetrated on multiple servers, and it IS grave (I am one of the folks listed on the APSB as having reported the issues).
I will have a blog post soon with more: not on how to perpetrate the hack, but what was possible, how to determine if someone may have performed it successfully on your server(s), and finally how folks on CF2016 and 11 can defend against it (as it affects them as well, but Adobe no longer offers updates for them. And of course, I always warn them also to get OFF those old unsupported versions.)
When I do offer that post (hopefully later today), I will add a link here.
You must be logged in to post a comment.
22 Sep 2025
Las Vegas, NV
