Adobe ColdFusion XML Injection Vulnerability Leading to Arbitrary File System Read

An XML Injection vulnerability has been identified in Adobe ColdFusion versions 2025.2, 2023.14, and 2021.20 and earlier. This vulnerability allows attackers to inject crafted XML or XPath queries, potentially leading to unauthorized file system access or causing a denial-of-service condition. Exploitation does not require user interaction, but the attacker must have access to shared secrets.

Impact

Exploitation of this vulnerability could result in unauthorized access to the file system, allowing attackers to read sensitive files. Additionally, it could cause a denial-of-service condition.

Remediation

Users are advised to update to ColdFusion 2025 Update 3, ColdFusion 2023 Update 15, or ColdFusion 2021 Update 21. For instructions on how to update, refer to the Adobe ColdFusion downloads page or the respective ColdFusion version update notes. After updating, it is recommended to apply the security configuration settings included in the ColdFusion Security documentation and to review the respective Lockdown guides for each ColdFusion version.