ColdFusion 2025 Security Report
Example of a Security Report produced by HackMyCF for servers running ColdFusion 2025
This report is for a ColdFusion 2025 Server, see an example security report for ColdFusion 2023
or a Lucee Security Report
Want reports like this for your ColdFusion or Lucee servers?
HackMyCF starts at $20/month
- Automatically scans your server on a daily, weekly, monthly or quarterly basis
- Get Notified when ColdFusion, Java, CommandBox, etc. need to be updated.
- Daily, Weekly, Monthly or Quarterly email report with info like below about your servers.
ColdFusion Server Security Report [example.com]
| ColdFusion Version: | 2025,0,0,331189 |
| Operating System: | UNIX amd64 5.15.49-linuxkit |
| Web Server: | Apache |
| Server Local IP: | 192.168.48.2 |
| Probe API Version: | 1.9 |
| Java JVM: | 21.0.2 Oracle Corporation running as root |
| JEE Server: | Apache Tomcat/10.1.14 |
| Hotfix Jars: | empty.txt |
| Cumulative Hotfixes: |
 ColdFusion 2025 Initial Release InstalledPlease note, Cumulative Hotfixes typically include all the prior hotfixes as well. So if you are on update 1, you can install update 3, and update 2 will also be installed. There are sometimes exceptions, or additional steps that you need to take. Please read the linked KB article for each hotfix you will be installing. |
TLS / SSL Report
| Common Name: |
www.example.com
|
| Certificate Expiration Date: |
April 28, 2025 (30 days)
|
| Public Key Size: |
2048 (2048 or greater recommended) |
| Signature Algorithm: |
sha256WithRSAEncryption
|
| Contains Anchor Certificate: |
No
|
| Valid Chain Order: |
Yes
|
| Protocol Support: |
SSLv2 Disabled
(SSLv2 should be disabled, it has been considered weak for over 10 years and has been disabled in browsers by default since IE7) SSLv3 Enabled
Preferred Cipher Suite: AES128-SHA (128 bit keysize) HTTP 200 OK (SSLv3 should be disabled, it has been considered weak since October 2014 due to the Poodle Vulnerability. Disabling may cause compatibility issues with IE on Windows XP, and old android clients) TLSv1 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-SHA (256 bit keysize) HTTP 200 OK (Disabling TLSv1 is Recommended, see TLS Browser Support Chart) TLSv1.1 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-SHA (256 bit keysize) HTTP 200 OK (TLS 1.1 may be considered an early TLS with respect to PCI DSS 3.1 compliance. Talk to your QSA for details.) TLSv1.2 Enabled
Preferred Cipher Suite: ECDHE-RSA-AES256-GCM-SHA384 (256 bit keysize) HTTP 200 OK (TLS 1.2 should be enabled if TLS 1.3 is not) |
| Compression Supported: | No (Compression should be disabled due to CRIME) |
| Heartbleed: |
Not Vulnerable
|
| Logjam: |
1024 bit DH Group Using a common prime!
(a unique 2028 bit DH group is recommended More Info)
|
| Session Renegotiation: |
Client Initiated Session Renegotiation Disabled Secure Session Renegotiation Supported |
| OpenSSL CCS Injection |
Not Vulnerable
|
| Strict Transport Security |
Not Enabled
More Info
|
We found 11 security issues on your server example.com
critical
SSL Version 2 Enabled
Your Web Server is accepting SSL V2 connections, a weak protocol. For PCI compliance, and strong security you must disable this protocol on your web server.
More Information: https://foundeo.com/products/iis-weak-ssl-ciphers/
critical
Robust Exception Information is Enabled
Robust Exception Information is enabled which leads to path disclosure and partial source code disclosure. This can also be triggered if you have a custom error handler that is disclosing too much information (such as a stack trace).
important
ColdFusion Administrator is Public
ColdFusion Administrator should be restricted by IP or blocked with Web Server password protection. Also consider requiring a SSL connection.
More Information: https://www.petefreitag.com/blog/coldfusion-admin-public/
important
CFTOKEN is not a UUID
CFTOKEN should be set to use a UUID in the ColdFusion Administrator. Session ids may be very easy to guess if UUID's are not used.
important
RDS may be Enabled
RDS may be enabled on your server (due to a change in recent CF versions we can no longer detect if it is on or off, however we have detected that the RDSServlet URI is responding to requests). We recommened that you block the URI /CFIDE/main/ide.cfm and/or remove the Servlet Mapping in web.xml to prevent unnecessary access to the RDSServlet.
important
The JVM is Running under Privileged User Account
The JVM process is running under a system administrative account (eg SYSTEM, Administrator, or root). ColdFusion should be running under an un-privileged user account.
important
The /cf_scripts/scripts directory is in default location.
Consider changing the default location of /cf_scripts/scripts/ or /cfscripts_2018/ by changing the value of the Default Script Src setting in the ColdFusion Administrator.
More Information: https://www.petefreitag.com/blog/coldfusion-cfide-cfscripts/
important
Java Security Update Available
The JVM that you are running contains security vulnerabilities that could be exploited in server side environments. Update to the latest supported version of Java for your CFML Server. Note that Oracle Java requires a commercial license. Adobe CF customers can download Oracle Java 11 (CF2021 and below) or Java 17 (CF2023) from the ColdFusion Downloads Page. You can also use OpenJDK, Amazon Corretto, or other non-oracle JVMs for free.
More Information: https://www.petefreitag.com/blog/updating-java-coldfusion-lucee/
important
Tomcat 10 Vulnerability
The version of Tomcat 10 you are running contains security vulnerabilities that are fixed in Tomcat Version 10.1.34 or greater. Please note that Tomcat 10.0 has reached End of Life, you should update to the latest 10.1.x release if you are using 10.0.
More Information: https://tomcat.apache.org/security-10.html
warning
Session Cookies are not marked HTTPOnly
Using HTTPOnly cookies prevents the session cookies from being hijacked via a javascript XSS attack on modern browsers.
More Information: https://www.petefreitag.com/blog/httponly-session-coldfusion/
warning
SSL Certificate Expires Soon
Your SSL certificate will expire soon, please make sure you renew it.
Please note, this tool is not able to test for all potential security issues that may exist.
Dig Deeper & Stay Updated with Our Paid Service
When you Signup for our service you can:
- Finds more security issues such as JVM vulnerabilities, missing ColdFusion hotfixes, etc (using our probe)
- Receive Automated Daily, Weekly, Monthly, or Quarterly server vulnerability reports
- Keep track of multiple servers at once
- Keep track of which hotfixes were installed and when.
- Get notified when new security hotfixes are released.
- PDF Reports
- Scan as much as you want, and view results instantly.
Pricing starts at $10/month
Severity Key
Critical
Found 2 Critical Issues
These issues pose a significant security risk. It is imperative that they are resolved at once.
Important
Found 7 Important Issues
These issues may have a security risk in certain conditions. It is recommended that you resolve them.
Warning
Found 2 Warnings
You should consider fixing these issues, however, they do not pose a large risk.
See a List of ColdFusion Security Vulnerabilities detected by this tool.