Adobe Issues Emergency Updates for Critical ColdFusion Flaw
December 23, 2024
In an unexpected move, Adobe has rolled out security updates to address a critical vulnerability in its ColdFusion software, identified as CVE-2024-53961. This flaw, caused by a path traversal weakness, affects the 2023 and 2021 versions of Adobe ColdFusion and could potentially allow attackers to access arbitrary files on susceptible servers.
"Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read," the company stated in its advisory. The vulnerability has been assigned a 'Priority 1' severity rating due to its high risk of being exploited in the wild.
As an immediate countermeasure, Adobe urges administrators to install the latest emergency security patches (ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12) promptly, preferably within 72 hours. Additionally, it recommends applying the security configuration settings detailed in the ColdFusion 2023 and ColdFusion 2021 lockdown guides.
While it's unclear whether the vulnerability has been exploited in the wild, Adobe has advised customers to review its updated serial filter documentation for more information on preventing insecure Wddx deserialization attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has previously warned about the risks of path traversal security bugs, which can be exploited by attackers to access sensitive data, such as login credentials. This can enable them to brute-force existing accounts and breach a target's systems.
In July 2023, CISA directed federal agencies to secure their Adobe ColdFusion servers against two critical security flaws (CVE-2023-29298 and CVE-2023-38205) that had been exploited in attacks. One of these was a zero-day exploit.
In a further revelation, the U.S. cybersecurity agency disclosed that hackers had exploited another critical ColdFusion vulnerability (CVE-2023-26360) to compromise outdated government servers since June 2023. This flaw had also been exploited in a limited number of attacks as a zero-day exploit since March 2023.
Related News
- Rapid Exploitation of PoC Exploits by Hackers: A Cloudflare Security Report
- Critical Adobe ColdFusion Exploit Used to Breach U.S. Government Servers
- CISA Adds Critical Adobe ColdFusion Vulnerability to Its Exploited Catalog
- Rapid7 Report Highlights High ROI for Ransomware and Increasing Use of Zero-Day Exploits
- CISA Adds Adobe ColdFusion Bug to Known Exploited Vulnerabilities Catalog
Latest News
- Apache Addresses Critical Vulnerability in Tomcat Web Server
- Fortinet Fixes Critical RCE Vulnerability in Wireless LAN Manager
- Critical Vulnerability in FortiWLM Grants Hackers Administrative Control
- BeyondTrust Suffers Cyberattack: Remote Support SaaS Instances Breached
- Active Exploitation of Newly Patched Apache Struts Vulnerability
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.