Adobe ColdFusion Incorrect Authorization Vulnerability Allowing Security Feature Bypass

A vulnerability allowing incorrect authorization has been identified in Adobe ColdFusion versions 2025.2, 2023.14, and 2021.20 and earlier. This vulnerability could lead to a security feature bypass, allowing a low-privileged attacker to gain unauthorized access by circumventing established security measures. The issue is confined to internal IP addresses and exploitation does not require user interaction.

Impact

Exploitation of this vulnerability could result in unauthorized access by bypassing security measures, allowing attackers to gain access to resources or functionalities that should be restricted.

Remediation

Users are advised to update to ColdFusion 2025 Update 3, ColdFusion 2023 Update 15, or ColdFusion 2021 Update 21. For instructions on how to update, refer to the Adobe ColdFusion downloads page or the respective ColdFusion update tech notes. Additionally, review the ColdFusion Lockdown Guides for security configuration recommendations.