Adobe warns of critical ColdFusion bug with PoC exploit code
Adobe has released out-of-band security updates to address a critical ColdFusion vulnerability with proof-of-concept (PoC) exploit code.
In an advisory released on Monday, the company says the flaw (tracked as CVE-2024-53961) is caused by a path traversal weakness that impacts Adobe ColdFusion versions 2023 and 2021 and can enable attackers to read arbitrary files on vulnerable servers.
"Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read," Adobe said today, while also cautioning customers that it assigned a "Priority 1" severity rating to the flaw because it has a "a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform."
The company advises administrators to install today's emergency security patches (ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12) as soon as possible, "for example, within 72 hours," and apply security configuration settings outlined in the ColdFusion 2023 and ColdFusion 2021 lockdown guides.
While Adobe has yet to disclose if this vulnerability has been exploited in the wild, it advised customers today to review its updated serial filter documentation for more information on blocking insecure Wddx deserialization attacks.
As CISA warned in May when it urged software companies to weed out path traversal security bugs before shipping their products, attackers can exploit such vulnerabilities to access sensitive data, including credentials that can be used to brute-force already existing accounts and breach a target's systems.
"Vulnerabilities like directory traversal have been called 'unforgivable' since at least 2007. Despite this finding, directory traversal vulnerabilities (such as CWE-22 and CWE-23) are still prevalent classes of vulnerability," CISA said.
Last year, in July 2023, CISA also ordered federal agencies to secure their Adobe ColdFusion servers by August 10th against two critical security flaws (CVE-2023-29298 and CVE-2023-38205) exploited in attacks, one of them as a zero-day.
The U.S. cybersecurity agency also revealed one year ago that hackers had been using another critical ColdFusion vulnerability (CVE-2023-26360) to breach outdated government servers since June 2023. The same flaw had been actively exploited in "very limited attacks" as a zero-day since March 2023.
FTC orders Marriott and Starwood to implement strict data security
Non-Human Identities Gain Momentum, Requires Both Management, Security
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2018-8639 Microsoft Windows Win32k Improper Resource Shutdown or Release Vulnerability
CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
InformationalInformation Disclosure - Suspicious Comments
HighPII Disclosure
Free online web security scanner
