Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN607 _____________________________________________________________________ DATE : 12/09/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Adobe ColdFusion. ===================================================================== https://helpx.adobe.com/security/products/coldfusion/apsb25-93.html _____________________________________________________________________ Last updated on Sep 9, 2025 Security updates available for Adobe ColdFusion | APSB25-93 Bulletin ID Date Published Priority APSB25-93 September 9, 2025 1 Summary Adobe has released security updates for ColdFusion versions 2025, 2023 and 2021. These updates resolve a critical vulnerability that could lead to arbitrary file system write.  Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates. Affected Versions Product Update number Platform ColdFusion 2025 Update 3 and earlier versions All ColdFusion 2023 Update 15 and earlier versions All ColdFusion 2021 Update 21 and earlier versions All Solution Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions: Product Updated Version Platform Priority rating Availability ColdFusion 2025 Update 4 All 1 Tech Note ColdFusion 2023 Update 16 All 1 Tech Note ColdFusion 2021 Update 22 All 1 Tech Note Note For security reasons, we strongly recommend to use latest mysql java connector. For more information on its usage, please refer to https://helpx.adobe.com/coldfusion/kb/coldfusion-configuring-mysql-jdbc.html See the updated serial filter documentation for more details on protection against insecure Wddx deserialization attacks https://helpx.adobe.com/coldfusion/kb/coldfusion-serialfilter-file.html Vulnerability Details Vulnerability Category Vulnerability Impact Severity CVSS base score  CVSS vector CVE Numbers Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22) Arbitrary file system write Critical 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2025-54261 Acknowledgements: Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers:    Nhien Pham (nhienit2010) - CVE-2025-54261 NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check out https://hackerone.com/adobe Note Adobe recommends updating your ColdFusion JDK/JRE LTS version to the latest update release as a secure practice. The ColdFusion downloads page is regularly updated to include the latest Java installers for the JDK version your installation supports as per the matrices below. ColdFusion 2025 support matrix ColdFusion 2023 support matrix ColdFusion 2021 support matrix For instructions on how to use an external JDK, view Change ColdFusion JVM. Adobe also recommends applying the security configuration settings included in the ColdFusion Security documentation as well as review the respective Lockdown guides.    ColdFusion 2025 Lockdown Guide ColdFusion 2023 Lockdown Guide ColdFusion 2021 Lockdown Guide ColdFusion JDK Requirement COLDFUSION 2025 (version 2023.0.0.331385) and above For Application Servers On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**; " in the respective startup file depending on the type of Application Server being used. For example: Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation. COLDFUSION 2023 (version 2023.0.0.330468) and above For Application Servers On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;" in the respective startup file depending on the type of Application Server being used. For example: Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file WebLogic Application Server: edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file WildFly/EAP Application Server: edit JAVA_OPTS in the ‘standalone.conf’ file Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation. COLDFUSION 2021 (version 2021.0.0.323925) and above For Application Servers   On JEE installations, set the following JVM flag, “-Djdk.serialFilter= !org.mozilla.**;!com.sun.syndication.**;!org.apache.commons.beanutils.**;!org.jgroups.**;!com.sun.rowset.**; !com.mysql.cj.jdbc.interceptors.**;!org.apache.commons.collections.**;" in the respective startup file depending on the type of Application Server being used. For example:   Apache Tomcat Application Server: edit JAVA_OPTS in the ‘Catalina.bat/sh’ file   WebLogic Application Server:  edit JAVA_OPTIONS in the ‘startWeblogic.cmd’ file   WildFly/EAP Application Server:  edit JAVA_OPTS in the ‘standalone.conf’ file   Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================