Adobe Warns Users Of Critical ColdFusion Vulnerability With PoC Exploit Code
Adobe has come up with urgent security upgrades to address the major issue of ColdFusion, which has been accompanied by the PoC exploit code. The business discovered the vulnerability which has been labelled as CVE-2024-53961. It affects Adobe ColdFusion versions 2023 and 2021, in an alert that was released on Monday. This vulnerability would allow the attackers to access arbitrary files on the compromised servers.
The company in a statement mentions, “Adobe acknowledges that CVE-2024-53961 has an established proof-of-concept that could facilitate unauthorized file system access.” They also warned the users that the flaw has been rated ‘Priority 1’ because of the elevated risk of being targeted by active exploits in the wild for specific product versions and platforms.
Adobe advises administrators to install emergency security patches like ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12, as soon as possible, preferably within 72 hours. It would put into practice the security configuration options described in the lockdown manuals for ColdFusion 2021 and 2023.
While Abode has not confirmed whether this vulnerability has been actively exploited; it has urged customers to update serial filter documentation for guidance on preventing insecure Wddx deserialization attacks.
CISA had previously cautioned in May about the dangers of path traversal vulnerabilities. It emphasizes that attackers can use such weaknesses to gain access to sensitive information such as credentials that could be used to compromise existing accounts and infiltrate target systems.
CISA remarked, “Vulnerabilities like directory traversal have been labeled ‘unforgivable’ since at least 2007. Yet, despite this long-standing awareness, directory traversal vulnerabilities (such as CWE-22 and CWE-23) continue to be a common issue.”CISA (Certified Information Systems Auditor) also mandated in July 2023 that federal agencies secure their Adobe ColdFusion servers by August 10th against two critical vulnerabilities, CVE-2023-29298 and CV-2023-38205 that had been exploited in attacks by the attackers.