Announcing ColdFusion updates released Sep 9 2025: p1 security update
An update for ColdFusion has been released, Sep 9 2025, for each of cf2025 (update 4), cf2023 (update 16) and cf2021 (update 22). In brief, it addresses a single P1 (Priority 1, "Critical") security vulnerabilities, along with an indicated update to the "feed" package (used by cffeed). Note that Adobe is also reporting currently that, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates." More below.
As usual, there are a number of things you should consider before (or after) doing the update, with some discussed in Adobe's resources on the update (there are more than one), and some info that I share below based on my experience helping people apply this and past updates.
In this post, I share the details about the update (from Adobe and from others). I can report I have installed the update for each release on multiple machines and operating systems without any major incidents. As for challenges (common to recent releases) and lessons learned (about this update), read on.
Is anyone else in that scenario (or, I guess, any scenario) seeing the infamous "Cannot find implementation class coldfusion.tagext.mail.MailTag for the mail tag" error after applying the hotfix?
I've uninstalled/re-installed the 'mail' package; I've cleared the felix-cache 3 different times. But, I can't get rid of the error.
Any other suggestions? Thank you.
In my case, several more files were reported "missing" in that log during the startup. And I found them listed as several "removed" by the update in the hotfixfilelist.log, located next to the update log.
And like you I copied the ones listed as missing back into place. The update had saved them into its backup/bundles folder. I copied those listed as missing back into cf's bundles/repo folder, and I restarted CF. The errors were gone and tests worked.
I want to repeat: this was NOT needed in other updates of that same version, each configured the same way and updated the same way (in my case using the admin, not the offline manual update you mention).
So no, I wasn't doing it as you were, but my point is that one had the problem I saw but the rest did not. So it just supports again that it's not clear that even even everyone who updates the way you did will have the problem you did.
Still, thanks for sharing your observation. If you have your logs and could check what I did, it might be interesting to hear what you'd see.
I think the most interesting thing will be to find what CAUSES these errors, when they may or may not happen on what seem at least to be identically configured cf instances. Clearly SOMETHING is different.
But at least you and I have offered two scenarios, with solutions that may help others. I know some people don't care to understand WHY problems might happen: they just want the solution. As always, I hope to offer both. :-)
I'll be trying the approach you followed, to see if and when I may get that problem you did. Hope all this may help someone. Thanks again for adding to the conversation--and the research.