Adobe warns of critical ColdFusion bug with PoC exploit code
Adobe has released out-of-band security updates to address a critical ColdFusion vulnerability with proof-of-concept (PoC) exploit code.
In an advisory released on Monday, the company says the flaw (tracked as CVE-2024-53961) is caused by a path traversal weakness that impacts Adobe ColdFusion versions 2023 and 2021 and can enable attackers to read arbitrary files on vulnerable servers.
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobe said today, while also cautioning customers that it assigned a “Priority 1” severity rating to the flaw because it has a “a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.”
The company advises administrators to install today’s emergency security patches (ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12) as soon as possible, “for example, within 72 hours,” and apply security configuration settings outlined in the ColdFusion 2023 and ColdFusion 2021 lockdown guides.
While Adobe has yet to disclose if this vulnerability has been exploited in the wild, it advised customers today to review its updated serial filter documentation for more information on blocking insecure Wddx deserialization attacks.
As CISA warned in May when it urged software companies to weed out path traversal security bugs before shipping their products, attackers can exploit such vulnerabilities to access sensitive data, including credentials that can be used to brute-force already existing accounts and breach a target’s systems.
“Vulnerabilities like directory traversal have been called ‘unforgivable’ since at least 2007. Despite this finding, directory traversal vulnerabilities (such as CWE-22 and CWE-23) are still prevalent classes of vulnerability,” CISA said.
Last year, in July 2023, CISA also ordered federal agencies to secure their Adobe ColdFusion servers by August 10th against two critical security flaws (CVE-2023-29298 and CVE-2023-38205) exploited in attacks, one of them as a zero-day.
The U.S. cybersecurity agency also revealed one year ago that hackers had been using another critical ColdFusion vulnerability (CVE-2023-26360) to breach outdated government servers since June 2023. The same flaw had been actively exploited in “very limited attacks” as a zero-day since March 2023.