Adobe ColdFusion XXE Vulnerability Leading to Security Feature Bypass

A vulnerability allowing improper restriction of XML external entity references (XXE) has been identified in Adobe ColdFusion versions 2025.2, 2023.14, and 2021.20 and earlier. This vulnerability could result in a security feature bypass, allowing attackers to access sensitive information or cause a denial-of-service condition by circumventing existing security measures. The issue is confined to internal IP addresses and exploitation does not require user interaction.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information or the ability to cause a denial-of-service condition by bypassing security measures.

Remediation

Users are advised to update to ColdFusion 2025 Update 3, ColdFusion 2023 Update 15, or ColdFusion 2021 Update 21. For instructions on using an external JDK, refer to the Adobe ColdFusion documentation. Additionally, consult the ColdFusion Lockdown Guides for security configuration recommendations.