You are currently viewing Critical Code Execution Vulnerability in Adobe ColdFusion

Critical Code Execution Vulnerability in Adobe ColdFusion

Adobe has released a critical security update that impacted Adobe ColdFusion and is assigned with a priority rating of 2. The Adobe Coldfusion Exploit found in the product affects ColdFusion versions 2016, 2018, and 2021 that would lead to arbitrary code execution.

The advisory published outlined the following information about the vulnerability:

  • CVE-2021-21087: An Improper Input Validation vulnerability that allows an attacker to cause arbitrary code execution.

This critical vulnerability stems from an improper input validation which means the affected product failed to properly validate the input provided by the user, which would affect the control flow of the program. As a result, this would allow an attacker to execute arbitrary code. However, there are no known instances of exploitation of this vulnerability by malware or threat groups.

Complete patching of CVE-2021-21087

It is important to note that applying the ColdFusion update is not sufficient to secure the servers. Users should also update their JDK/JRE to the latest version of the LTS releases for 1.8 (JDK/JRE 8) and JDK 11 correspondingly. The technotes found in the advisory have more details on applying these patches.

Product Updated Version Platform Priority rating Availability
ColdFusion 2016 Update 17 All 2 Tech note
ColdFusion 2018 Update 11 All 2 Tech note
ColdFusion 2021 Update 1 All 2 Tech note

Affected products in Adobe Coldfusion Exploit

  • Adobe ColdFusion 2016 Update 16 and earlier versions.
  • Adobe ColdFusion 2018 Update 10 and earlier versions.
  • Adobe ColdFusion 2021 Version 2021.0.0.323925.


Successful exploitation allows attackers to execute arbitrary code.


Update to Adobe ColdFusion 2016 Update 17, ColdFusion 2018 Update 11 or ColdFusion 2021 Update 1 and apply a corresponding JDK/JRE update.

Adobe has released the patch for the vulnerability. It is recommended that the affected systems should be patched as soon as possible. SanerNow can detect these vulnerabilities.

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments