ColdFusion RDS Service enabled
Description
The Adobe ColdFusion Remote Development Service (RDS) is enabled and accessible from any network location without IP restrictions. RDS is a development-only feature that provides direct access to server resources, databases, and file systems. When exposed in production environments or protected only by weak authentication, it creates an unnecessary attack surface that can be exploited by unauthorized users.
Remediation
Disable the RDS service entirely in production environments through the ColdFusion Administrator by navigating to Security > RDS and unchecking 'Enable RDS'. If RDS must remain enabled for development purposes, implement the following controls: (1) Restrict access using IP allowlisting to only trusted development machines, (2) Configure a strong, unique password of at least 12 characters with mixed case, numbers, and special characters, (3) Ensure RDS is only accessible over encrypted connections (HTTPS), and (4) Monitor RDS access logs for unauthorized connection attempts. For production systems, verify that RDS is disabled and the RDS servlet is removed from the web server configuration.