STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Adobe ColdFusion Security Technical Implementation Guide

V-279099

CAT II (Medium)

ColdFusion Backup Directory must be deleted.

Rule ID

SV-279099r1172837_rule

STIG

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002617

Discussion

Installation of patches and updates is performed when there are errors or security vulnerabilities in the current release of the software. When previous versions of software components are not removed from ColdFusion after updates have been installed, an attacker may use the older components to exploit the system. ColdFusion creates a backup directory for an update when installed. This backup directory allows the system administrator (SA) to uninstall the update if an error occurs or incompatibility is found with the hosted applications. Once the update is tested and found to work correctly, the backup directory must be removed so that the update cannot be uninstalled.

Check Content

Verify Update Backup Directory has been deleted.

Navigate to C:\ColdFusion2023\cfusion\hf-updates.

If any backup directories exist in the "hf-updates" folder, this is a finding.

Note: Do not remove the backup directory for an update until the update has been tested and verified that the ColdFusion server is operating correctly.

Fix Text

Remove Update Backups.

1. Navigate to C:\ColdFusion2023\cfusion\hf-updates.

2. Remove any backups from hf-updates.