Adobe has issued an out-of-band security update to address a critical ColdFusion vulnerability, which has a proof-of-concept (PoC) exploit code that is publicly available.
The vulnerability identified as CVE-2024-53961 (CVSS score: 7.4) arises from a path traversal flaw, which impacts Adobe ColdFusion versions 2023 (Update 11 and earlier) and 2021 (Update 17 and earlier).
If exploited, this flaw can enable attackers to gain unauthorized access to arbitrary files on compromised servers, potentially exposing data.
“An attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application. This could lead to the disclosure of sensitive information or the manipulation of system data,” a NIST advisory reads.
For those unaware, ColdFusion is an application server and web programming language that facilitates dynamic web page creation by enabling communication with back-end systems based on user input, database queries, or other criteria.
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobe said in an advisory released on Monday.
Adobe has assigned the flaw a “Priority 1” severity rating, the highest possible level, due to the “higher risk of being targeted by exploit(s) in the wild for a given product version and platform.”
The company has released emergency security patches (ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12). It has recommended users install these patches “within 72 hours” to mitigate any potential security risks associated with this critical flaw.
Further, Adobe has suggested that users apply the security configuration settings detailed in the ColdFusion 2023 and ColdFusion 2021 lockdown guides.
While Adobe has yet to confirm any active exploitation of the vulnerability, it has urged users to review the updated serial filter documentation to safeguard against insecure WDDX deserialization attacks.