Adobe Warns Of Critical ColdFusion Flaw With PoC Exploit

by CybrGPT
0 comment

Adobe has issued an out-of-band security update to address a critical ColdFusion vulnerability, which has a proof-of-concept (PoC) exploit code that is publicly available.

The vulnerability identified as CVE-2024-53961 (CVSS score: 7.4) arises from a path traversal flaw, which impacts Adobe ColdFusion versions 2023 (Update 11 and earlier) and 2021 (Update 17 and earlier).

If exploited, this flaw can enable attackers to gain unauthorized access to arbitrary files on compromised servers, potentially exposing data.

“An attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application. This could lead to the disclosure of sensitive information or the manipulation of system data,” a NIST advisory reads.

For those unaware, ColdFusion is an application server and web programming language that facilitates dynamic web page creation by enabling communication with back-end systems based on user input, database queries, or other criteria.

“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobe said in an advisory released on Monday.

Adobe has assigned the flaw a “Priority 1” severity rating, the highest possible level, due to the “higher risk of being targeted by exploit(s) in the wild for a given product version and platform.”

The company has released emergency security patches (ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12). It has recommended users install these patches “within 72 hours” to mitigate any potential security risks associated with this critical flaw.

Further, Adobe has suggested that users apply the security configuration settings detailed in the ColdFusion 2023 and ColdFusion 2021 lockdown guides.

While Adobe has yet to confirm any active exploitation of the vulnerability, it has urged users to review the updated serial filter documentation to safeguard against insecure WDDX deserialization attacks.

Source link

You may also like

Leave a Comment

Stay informed with the latest in cybersecurity news. Explore updates on malware, ransomware, data breaches, and online threats. Your trusted source for digital safety and cyber defense insights.

BuyBitcoinFiveMinute

Subscribe my Newsletter for new blog posts, tips & new photos. Let’s stay updated!

© 2025 cybrgpt.com – All rights reserved.