Announcing ColdFusion updates released Sep 9 2025: p1 security update
An update for ColdFusion has been released, Sep 9 2025, for each of cf2025 (update 4), cf2023 (update 16) and cf2021 (update 22). In brief, it addresses a single P1 (Priority 1, "Critical") security vulnerabilities, along with an indicated update to the "feed" package (used by cffeed). Note that Adobe is also reporting currently that, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates." More below.
As usual, there are a number of things you should consider before (or after) doing the update, with some discussed in Adobe's resources on the update (there are more than one), and some info that I share below based on my experience helping people apply this and past updates.
In this post, I share the details about the update (from Adobe and from others). I can report I have installed the update for each release on multiple machines and operating systems without any major incidents. As for challenges (common to recent releases) and lessons learned (about this update), read on.
Is anyone else in that scenario (or, I guess, any scenario) seeing the infamous "Cannot find implementation class coldfusion.tagext.mail.MailTag for the mail tag" error after applying the hotfix?
I've uninstalled/re-installed the 'mail' package; I've cleared the felix-cache 3 different times. But, I can't get rid of the error.
Any other suggestions? Thank you.