To our dedicated customers that are using ColdFusion. If you are not using ColdFusion, you can ignore this notice.

NOTE: I know some of you also have ColdFusion shared hosting accounts with us also, and yes, we have already taken care of all of our shared hosting servers.

There is security vulnerability related to CF Admin when accessible publicly. There is a patch that Adobe released, which you can install to fix this, however, a possible better solution is outlined below, as that will prevent this and other future issues related.

Here is how you should have the /CFIDE mapping handled if not done so already.

A normal install has the /CFIDE folder at:

This location is needed, however, it should not be your default /CFIDE mapping for domains added to the server.
We suggest copying the /scripts and /classes folder from this location and placing them at:

Then make sure that everyone has only read/execute permissions on the d:\home\CFIDE folder.

In your IIS, make sure any sites using a virtual CFIDE folder is changed to use the d:\home\CFIDE folder and NOT the c:\inetpub\wwwroot\CFIDE folder.

Now, in IIS, edit the Host Headers for the WWW item that is used for your CF Admin and remove from the list, assuming that entry is there. Then add an IIS item named CFAdmin pointed to the same directory as the IIS item that you currently use for the CFAdmin access, and set it to use and port 80. Next, create a Virtual Directory for this CFAdmin iis item and name it CFIDE and set it to the c:\inetpub\wwwroot\CFIDE folder.

Now, you can access CF Admin from the server via the address, removing the CF Admin access from the public.

Remember, in the future when you need to create any virtual /CFIDE folders, to use the new d:\home\CFIDE folder.