Installed versions of ColdFusion must be supported by the vendor.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-279102	SRG-APP-000516-AS-000237	APAS-CF-000995	SV-279102r1171420_rule	2025-12-19	1

Description
Running unsupported versions of ColdFusion introduces significant risk to the security and stability of the application environment. Unsupported software no longer receives security patches, bug fixes, or vendor support, leaving known vulnerabilities unaddressed and exploitable by threat actors. These versions may contain flaws that have been publicly disclosed and weaponized, making them an easy target for attackers. Continuing to use obsolete ColdFusion versions increases the risk of system compromise, data exposure, and unauthorized access to application resources. Ensuring that only supported and maintained versions of ColdFusion are deployed allows the organization to receive timely updates, apply critical patches, and maintain compliance with DOD security requirements. Removing or upgrading unsupported instances helps reduce the attack surface, mitigate vulnerabilities, and ensure ColdFusion processes operate securely and reliably.

Description

Running unsupported versions of ColdFusion introduces significant risk to the security and stability of the application environment. Unsupported software no longer receives security patches, bug fixes, or vendor support, leaving known vulnerabilities unaddressed and exploitable by threat actors. These versions may contain flaws that have been publicly disclosed and weaponized, making them an easy target for attackers. Continuing to use obsolete ColdFusion versions increases the risk of system compromise, data exposure, and unauthorized access to application resources. Ensuring that only supported and maintained versions of ColdFusion are deployed allows the organization to receive timely updates, apply critical patches, and maintain compliance with DOD security requirements. Removing or upgrading unsupported instances helps reduce the attack surface, mitigate vulnerabilities, and ensure ColdFusion processes operate securely and reliably.

ℹ️ Check
Verify the ColdFusion version. 1. Open the ColdFusion Administrator Console. 2. Identify the version of ColdFusion currently installed (displayed in the upper-right system information icon). 3. Navigate to Adobe's official "Product and technical support periods" page: https://helpx.adobe.com/support/programs/eol-matrix.html 4. Locate the ColdFusion product version in the matrix and review the listed "End of Core Support" and/or "End of Extended Support" dates. If the version of ColdFusion in use has passed its support period (core or extended), this is a finding.

ℹ️ Check

Verify the ColdFusion version. 1. Open the ColdFusion Administrator Console. 2. Identify the version of ColdFusion currently installed (displayed in the upper-right system information icon). 3. Navigate to Adobe's official "Product and technical support periods" page: https://helpx.adobe.com/support/programs/eol-matrix.html 4. Locate the ColdFusion product version in the matrix and review the listed "End of Core Support" and/or "End of Extended Support" dates. If the version of ColdFusion in use has passed its support period (core or extended), this is a finding.

✔️ Fix
Upgrade ColdFusion to a supported version or uninstall the application. All upgrade or uninstall actions must be executed in accordance with an approved application management plan.