Announcing ColdFusion updates of Dec 9 2025 - p1 security update and more
In brief, this update (for all 3 versions) addresses several P1 (Priority 1, "Critical") security vulnerabilities, and also updates Tomcat, along with updating several CF packages, and makes some other changes (see below). Note that Adobe is also reporting currently that, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."
In this post, I share the details about the update (from Adobe and from others). I also share additional info you may want to consider before (or after) doing the update.
Having installed the update for each of the releases on multiple machines, I can report that it went well expect for this:
Warning: beware that some folks implementing the update for CF2023 the first day (myself included) found that after applying the update, the CF Admin was inaccessible and packages that were updates were unexpectedly uninstalled. I have offered a follow-up blog post on that, One explanation and solution for when applying CF updates uninstalls new packages unexpectedly, including how to solve the problem as I see it, and how to ensure your own manual efforts to solve it are complete.
Read on for more, including many other observations I offer about what else has changed with this update, and some concluding thoughts on best practices regarding any CF update.




