The ColdFusion Administrator Console must be hosted on a management network.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279064	SRG-APP-000211-AS-000146	APAS-CF-000420	SV-279064r1171544_rule	2025-12-19	1

Description
ColdFusion is composed of two primary components: the Administrator Console and the hosted applications. Separating the Administrator Console from the hosted application environment enforces a strong security boundary, requiring users to authenticate with privileged credentials before gaining access to management functionality. This separation ensures that nonprivileged users—such as application users—are not presented with administrative interfaces or options, effectively reducing the attack surface and minimizing the potential for privilege escalation. Restricting visibility into administrative functions also limits the exposure of sensitive configuration details. In the event a nonprivileged account is compromised, the attacker gains no insight into ColdFusion's management features or internal architecture, impeding reconnaissance efforts and slowing down the progression of an attack. Hosting the Administrator Console on a dedicated management network ensures the console is accessible only from authorized administrative devices, isolates it from the application traffic and users, and reduces the risk of accidental exposure. Management networks also enforce encryption and strict access controls, providing additional protection against data leakage and unauthorized access to ColdFusion's administrative interface.

Description

ColdFusion is composed of two primary components: the Administrator Console and the hosted applications. Separating the Administrator Console from the hosted application environment enforces a strong security boundary, requiring users to authenticate with privileged credentials before gaining access to management functionality. This separation ensures that nonprivileged users—such as application users—are not presented with administrative interfaces or options, effectively reducing the attack surface and minimizing the potential for privilege escalation. Restricting visibility into administrative functions also limits the exposure of sensitive configuration details. In the event a nonprivileged account is compromised, the attacker gains no insight into ColdFusion's management features or internal architecture, impeding reconnaissance efforts and slowing down the progression of an attack. Hosting the Administrator Console on a dedicated management network ensures the console is accessible only from authorized administrative devices, isolates it from the application traffic and users, and reduces the risk of accidental exposure. Management networks also enforce encryption and strict access controls, providing additional protection against data leakage and unauthorized access to ColdFusion's administrative interface.

ℹ️ Check
Access the Administrator Console via a web browser. Record the IP address used to reach the console. Review the network diagram for the site to verify that this IP address belongs to a dedicated management network that is segmented from any public or production networks. If the Administrator Console is not hosted on a management network separate from the public network, this is a finding.

✔️ Fix
Host the ColdFusion Administrator Console on a management network.