Adobe Patches ColdFusion Flaw at High Risk of Exploitation

1 week ago 17
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

Adobe on Monday warned that proof-of-concept (PoC) code exists for a fresh ColdFusion vulnerability.

Tracked as CVE-2024-53961 (CVSS score of 7.4), the security defect is described as a path traversal issue leading to arbitrary file system read if the ‘pmtagent’ package is installed on the ColdFusion server.

“An attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application. This could lead to the disclosure of sensitive information or the manipulation of system data,” a NIST advisory reads.

Although the flaw has a ‘high severity’ rating based on its CVSS score, Adobe considers it critical, marking it as ‘Priority 1’ and warning that it has a high risk of being targeted in attacks.

“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” the company warns.

The vulnerability affects ColdFusion 2023 update 11 and earlier and ColdFusion 2021 update 17 and earlier and was resolved with the release of ColdFusion 2023 update 12 and ColdFusion 2021 update 18.

ColdFusion installations should be updated as soon as possible and Adobe also recommends reviewing its lockdown guides for the affected versions and ensuring that the Performance Monitoring Toolset (PMT) server is up and running during the update, if PMT is in use.

Vulnerabilities in Adobe ColdFusion have long been an attractive target for threat actors. Last week, the US cybersecurity agency CISA warned that an improper access control defect in ColdFusion patched in March 2024 has been exploited in the wild. The flaw is tracked as CVE-2024-20767.

Advertisement. Scroll to continue reading.

In December last year, CISA warned that a ColdFusion bug leading to arbitrary code execution had been exploited in attacks targeting servers belonging to a federal civilian executive branch (FCEB) agency. Tracked as CVE-2023-26360, the defect was patched in March 2023, after being exploited in the wild.

Related: CISA Warns of Exploited Adobe ColdFusion, Windows Vulnerabilities

Related: Apple Pushes Major iOS, macOS Security Updates

Related: Adobe Patches Critical Code Execution Vulnerabilities in Photoshop, Bridge

Related: NIST Tool Finds Errors in Complex Safety-Critical Software

Read Entire Article