HQ/EMEAFind out how we can help your business
Adobe has distributed out-of-band security updates to address a severe ColdFusion vulnerability. The vendor also included a proof-of-concept (PoC) exploit code in the advisory.
The company posted the advisory explaining the flaw tracked as CVE-2024-53961, which impacts their ColdFusion versions 2023 and 2021. The advisory also explained that the bug could allow attackers to read arbitrary files on susceptible servers.
Moreover, the affected entity explained that they are aware that CVE-2024-53961 has a known PoC that could result in an arbitrary file system read. Hence, they use the notification to warn customers that the flaw has a “Priority 1” severity rating. Since it has given a product version and platform, threat actors in the cybercriminal landscape are likelier to target and exploit it.
Adobe urges organisations to adopt the patch for the ColdFusion flaw.
Adobe recommends that admins install the emergency security patches as soon as possible and use the security configuration settings outlined in the ColdFusion 2023 and ColdFusion 2021 lockdown guides.
In addition, the company has advised its customers to assess its revised serial filter documentation for further information on preventing unsafe Wddx deserialisation attacks despite not confirming whether there is an ongoing exploit for the vulnerability in the wild.
As CISA warned earlier this year when it urged software companies to fix path traversal security vulnerabilities before shipping their products, threat actors can take advantage of such flaws to access sensitive data.
Some of these sensitive details could include credentials that allow attackers to execute malicious activities, such as brute-force attacks on accounts and breach a target’s systems.
Since 2007, vulnerabilities such as directory traversal have been prevalent among cybercriminals. Despite existing for over two decades, authorities revealed that directory traversal vulnerabilities are still common.
Therefore, organisations should instruct their administrators to adopt the security patch that addresses the ColdFusion vulnerability immediately. This action would significantly improve the chances of preventing unwanted illegal access from threat actors looking to hack vulnerable systems.
