Planning CF21 to CF23 Migration in 2026 - Security & Support Concerns?

Report · Oct 27, 2025

Subject: Planning CF21 to CF23 Migration in 2026 - Security & Support Concerns?

Current Setup:

ColdFusion 2021, Version 2021,0,02,328618 (Update 2)
Planning to migrate to ColdFusion 2023 in 2026

Question: I'm aware that ColdFusion 2021 reaches end-of-life on November 10, 2025. I'm currently running CF21 Update 2 (from September 2021) and planning to migrate to CF23 sometime in 2026.

My concerns:

What are the security risks of running CF21 after November 10, 2025 with no more updates available?
Should I at least update to CF21 Update 22 before the EOL date?
Is it feasible/safe to wait until 2026 for the CF23 migration, or should I accelerate this timeline?
Are there any compliance issues (PCI, HIPAA, etc.) with running an unsupported CF version?

Any advice on the best path forward would be appreciated. Should I prioritize updating to the latest CF21 patch first, or should I fast-track the CF23 migration?

Thanks in advance for your guidance!

Report · Oct 27, 2025

Hi @weezerboy -

I've responded to your 4 questions below too, but here are my general thoughts on this --

CF 2021U2 was released on September 14, 2021 - so that's already *really* old. Subsequent updates have fixed many critical vulnerabilities, including ones that have public exploits available and have been exploited in the wild. Running this version of ACF comes with considerable risk, especially if it's accessible over the public Internet or other untrusted networks. I'd recommend getting to *something* more recent, as soon as possible. Getting to the latest version of CF2023 would be the best resolution, but if you can update to CF21U22 right away, that would be a big immediate improvement with repsect to security. Note there are some breaking changes to be aware of in later veersions of CF2021 and CF2023 (see #2 below).

The short answer is that no security updates will be available. Time will tell the risk/impact of this. But November 11 is the next Adobe Patch Tuesday, so if any ColdFusion patches are released, they (presumably) won't cover CF 2021 -- unless Adobe decides to release security patches past EOL.
Yup. There will be immediate security improvements from updating to CF21U22. Howver, be aware of potentially breaking changes around variable scoping, remote CFC method arguments, the encrypt() function, and more. Many of these changes have been discussed on this forum, and in resources from Adobe and others.
I'd personally want to migrate sooner, but that's your call. 🙂
Potentially - yes. That's a question for your Security/Legal/Compliance folks to determine for you, but both HIPAA and PCI have requirements around patching process and patching tinmelines. There are also mutliple ColdFusion vulnerabilites since CF2021U2 in the CISA KEV (Known Exploited Vulnerabilities) catalog, which are tied to federal system requimrenrts, if applicable to you. It will be hard to be compliant if you're missing 4+ years (CF2021U2) of critical security patches.

Report · Oct 27, 2025

I think @Brian__ 's answer is pretty good. Let me just add a few things to it.

1. Adobe offers an extended support plan for CF 2021 that will last until one year after the regular support EOL (26 Nov 2026). Obviously, your organization would have to pay for that, but it may be the easiest solution if you're really confident about migrating a few months before then, or just want to defer this question until later. I have no idea how much this costs.
https://coldfusion.adobe.com/2025/04/planning-ahead-coldfusion-2021-support-ending-soon/

Beyond that, who knows? Adobe, or someone else, could find an effectively unfixable vulnerability the day after support ends.

2. If you do choose the extended support plan, you should ask your Adobe support person about that, but until you do, my answer would be yes, you should patch to the latest CF 2021 as soon as you can.

3. This largely depends on your own internal team and management. Ideally, in my opinion, you'd do it as soon as possible. It's probably going to take longer than you expect. But you may be able to rely on something else to delay this. For example, let's say you use a reverse proxy configuration, preventing users from directly connecting to your server. This would protect you from some vulnerabilities that may crop up. You may be able to get a waiver you can put into your plan of action & maintenance (POA&M) for that server (if your team does POA&Ms and waivers).

4. I'm not aware of any HIPAA compliance issues with running an unsupported version, but there will likely be PCI-DSS issues. Again, though, you might be able to get a waiver for this.

Good luck!

Dave Watts, Eidolon LLC

Report · Oct 27, 2025

1. Adobe offers an extended support plan for CF 2021 that will last until one year after the regular support EOL (26 Nov 2026). Obviously, your organization would have to pay for that, but it may be the easiest solution if you're really confident about migrating a few months before then, or just want to defer this question until later. I have no idea how much this costs.
https://coldfusion.adobe.com/2025/04/planning-ahead-coldfusion-2021-support-ending-soon/
Beyond that, who knows? Adobe, or someone else, could find an effectively unfixable vulnerability the day after support ends.

It's worth calling out that per the link above, Adobe has stated that extended support does not include security patches.

Report · Oct 28, 2025

Yeah, that makes a big difference!

Dave Watts, Eidolon LLC

Report · Oct 28, 2025

Here are some thoughts in addtion to those of @Brian__ and @Dave Watts .

What are the security risks of running CF21 after November 10, 2025 with no more updates available?
The risk is between High and Very High (on a risk-scale: Very Low - Low - Medium - High - Very High).
Why? Because ColdFusion 2021 uses older JVM, Tomcat and libraries that themselves are end-of-life and carry vulnerabilities.
Should I at least update to CF21 Update 22 before the EOL date?
Yes. In fact, you should have a policy of implementing ColdFusion updates shortly after they appear.
Is it feasible/safe to wait until 2026 for the CF23 migration, or should I accelerate this timeline?
No, it is not safe to wait till 2026. Reason: Malicious ColdFusion hackers all around the world have marked the date November 10, 2025 on their calendar. They won't wait for you before going to work.

So, accelerate the timeline. Upgrade as soon as is feasible to an up-to-date version of ColdFusion 2023.
Are there any compliance issues (PCI, HIPAA, etc.) with running an unsupported CF version?
Yes. From November 11, 2025 onwards, your ColdFusion 2021 application will no longer be compliant with the requirements of PCI DSS (Payment Card Industry Data Security Standard) and HIPAA (Health Insurance Portability and Accountability Act).

HIPAA requires that you apply regular security patches. PCI DSS Requirement 6,2 says:
```
 "Ensure that all system components and software are protected from known vulnerabilities by installing the applicable security patches provided by the manufacturer. Install critical security patches within a month."
```
Hence, given the circumstances, my advice on the best path forward is to prioritize fast-tracking the migration to the latest update of ColdFusion 2023.

Report · Oct 28, 2025

Some fantastic answers here, but let me add one more item.
You mention the "wait till CF26 to update". To me, this is identified as the usual "waiting for the next version" pattern. But that's not how CF works now. You subscribe, yearly, and you get all the updates and upgrades baked in. You can even request a back-port to CF23 if you wish (though you'd miss out on the great new additions in CF25 until you moved). Point is though, you could move now and get whatever you need security wise, and then just upgrade when ready (or when the new version features finally win you over). There's no need to wait, you'll get 26 when it drops. You can use 25 till then. It is a very flexible system that lets you move when you want, how you want, without needing to drop a big amount on a "new" version to upgrade.

Report · Oct 28, 2025

Hi @Mark Takata , Weezerboy meant "wait till the year 2026" rather than "wait till CF26". But your advice, that he already envisage a move to ColdFusion 2025 and ColdFusion 2026, remains good.