SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Adobe Patches ColdFusion Flaw at High Risk of Exploitation

Adobe has released patches for a high-severity ColdFusion vulnerability for which proof-of-concept (PoC) code exists.
Adobe vulnerabilities

Adobe on Monday warned that proof-of-concept (PoC) code exists for a fresh ColdFusion vulnerability.

Tracked as CVE-2024-53961 (CVSS score of 7.4), the security defect is described as a path traversal issue leading to arbitrary file system read if the ‘pmtagent’ package is installed on the ColdFusion server.

“An attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application. This could lead to the disclosure of sensitive information or the manipulation of system data,” a NIST advisory reads.

Although the flaw has a ‘high severity’ rating based on its CVSS score, Adobe considers it critical, marking it as ‘Priority 1’ and warning that it has a high risk of being targeted in attacks.

“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” the company warns.

The vulnerability affects ColdFusion 2023 update 11 and earlier and ColdFusion 2021 update 17 and earlier and was resolved with the release of ColdFusion 2023 update 12 and ColdFusion 2021 update 18.

ColdFusion installations should be updated as soon as possible and Adobe also recommends reviewing its lockdown guides for the affected versions and ensuring that the Performance Monitoring Toolset (PMT) server is up and running during the update, if PMT is in use.

Vulnerabilities in Adobe ColdFusion have long been an attractive target for threat actors. Last week, the US cybersecurity agency CISA warned that an improper access control defect in ColdFusion patched in March 2024 has been exploited in the wild. The flaw is tracked as CVE-2024-20767.

Advertisement. Scroll to continue reading.

In December last year, CISA warned that a ColdFusion bug leading to arbitrary code execution had been exploited in attacks targeting servers belonging to a federal civilian executive branch (FCEB) agency. Tracked as CVE-2023-26360, the defect was patched in March 2023, after being exploited in the wild.

Related: CISA Warns of Exploited Adobe ColdFusion, Windows Vulnerabilities

Related: Apple Pushes Major iOS, macOS Security Updates

Related: Adobe Patches Critical Code Execution Vulnerabilities in Photoshop, Bridge

Related: NIST Tool Finds Errors in Complex Safety-Critical Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Threat Detection and Incident Response Summit
May 21, 2025

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.