Adobe ColdFusion XXE Vulnerability Leading to Security Feature Bypass

A vulnerability allowing improper restriction of XML external entity references (XXE) has been identified in Adobe ColdFusion versions 2025.2, 2023.14, and 2021.20 and earlier. This vulnerability could lead to a security feature bypass, allowing a high-privileged attacker to access sensitive information. Exploitation does not require user interaction, and the vulnerable component is limited to internal IP addresses.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive information, bypassing security features intended to protect such data.

Remediation

Users are advised to update to ColdFusion 2025 Update 3, ColdFusion 2023 Update 15, or ColdFusion 2021 Update 21. For instructions on how to update, refer to the Adobe ColdFusion downloads page. Additionally, for ColdFusion 2025, 2023, and 2021, set the JVM flag '-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**;!com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;' in the respective startup file for the application server being used.