← Back to Adobe ColdFusion Security Technical Implementation Guide

V-279129

CAT II (Medium)

ColdFusion must not install the Performance Monitoring Toolset (PMT) Agent Package.

Rule ID

SV-279129r1171553_rule

STIG

Adobe ColdFusion Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001199

Discussion

The ColdFusion Performance Monitoring Toolset (PMT) Agent Package provides instrumentation and profiling capabilities that, while useful for performance troubleshooting, introduce unnecessary risk in a DOD environment. The PMT agent collects, stores, and transmits detailed information about ColdFusion server activity, queries, and application behavior. If deployed in production, this agent can inadvertently expose sensitive system details, execution paths, or database query patterns to unauthorized individuals. The PMT Agent Package increases the attack surface by adding additional components, services, and ports that must be secured, monitored, and patched. Improperly configured or unmonitored PMT agents could allow adversaries to gain insights into application internals, conduct reconnaissance, or pivot toward exploiting ColdFusion services. By prohibiting the installation of the PMT Agent Package, system administrators reduce complexity, limit potential vulnerabilities, and enforce the principle of least functionality.

Check Content

Verify the PMT Agent Package is not installed.

From the Admin Console Landing Screen, navigate to Package Manager&gt;&gt; Packages.

If the “pmtagent” package is listed under the "Installed Packages" section, this is a finding.

Fix Text

Uninstall the PMT Agent Package.

1. From the Admin Console Landing Screen, navigate to Package Manager&gt;&gt; Packages.

2. Select the "pmtagent" package.

3. Select "Uninstall".

4. Select  "OK".