V-279102

Discussion

Running unsupported versions of ColdFusion introduces significant risk to the security and stability of the application environment. Unsupported software no longer receives security patches, bug fixes, or vendor support, leaving known vulnerabilities unaddressed and exploitable by threat actors. These versions may contain flaws that have been publicly disclosed and weaponized, making them an easy target for attackers. Continuing to use obsolete ColdFusion versions increases the risk of system compromise, data exposure, and unauthorized access to application resources. Ensuring that only supported and maintained versions of ColdFusion are deployed allows the organization to receive timely updates, apply critical patches, and maintain compliance with DOD security requirements. Removing or upgrading unsupported instances helps reduce the attack surface, mitigate vulnerabilities, and ensure ColdFusion processes operate securely and reliably.

Check Content

Verify the ColdFusion version. 

1. Open the ColdFusion Administrator Console.

2. Identify the version of ColdFusion currently installed (displayed in the upper-right system information icon).

3. Navigate to Adobe's official "Product and technical support periods" page:
https://helpx.adobe.com/support/programs/eol-matrix.html

4. Locate the ColdFusion product version in the matrix and review the listed "End of Core Support" and/or "End of Extended Support" dates.

If the version of ColdFusion in use has passed its support period (core or extended), this is a finding.