The cybersecurity agency CISA warned organizations on Monday that two vulnerabilities affecting Adobe ColdFusion and Microsoft Windows have been exploited in the wild.
CISA added the flaws to its Known Exploited Vulnerabilities (KEV) catalog, instructing federal agencies to address them in their environments by early January 2025.
The Windows vulnerability is CVE-2024-35250, a high-severity kernel-mode driver issue that can be exploited by an attacker to escalate privileges to System.
Microsoft announced patching the vulnerability in June 2024. The company’s advisory does indicate that exploitation is likely, but the tech giant has yet to update its advisory for CVE-2024-35250 to confirm attacks.
DevCore, whose researchers have been credited by Microsoft for responsibly reporting the vulnerability, disclosed details of the flaw in late August, noting that it had been exploited at the Pwn2Own Vancouver 2024 hacking competition, where the DevCore team earned $30,000 for an exploit involving this vulnerability.
A proof-of-concept (PoC) exploit appears to have been made available in October.
Given that CVE-2024-35250 is a local privilege escalation flaw, it’s likely to be exploited in attacks after the attacker has gained initial access to the targeted system.
The ColdFusion vulnerability added to CISA’s KEV list, tracked as CVE-2024-20767, was patched by Adobe in March 2024. The software giant described it as a critical improper access control issue that allows “arbitrary file system read”.
Technical details and a PoC exploit were published shortly after the patch was announced, showing how an attacker could leverage CVE-2024-20767 to gain unauthorized access to sensitive files and also to modify restricted files.
The vulnerability can actually be exploited to compromise internet-exposed ColdFusion instances without user interaction. There are many ColdFusion servers exposed to the web, but it’s unclear how many of them are vulnerable to attacks.
There do not appear to be any previous reports on the exploitation of these ColdFusion and Windows vulnerabilities. CISA has not shared any information on the attacks it’s aware of.
However, it’s worth noting that both Windows and ColdFusion vulnerabilities are regularly exploited in the wild.
Related: DrayTek Vulnerabilities Added to CISA KEV Catalog Exploited in Global Campaign
Related: Undocumented DrayTek Vulnerabilities Exploited to Hack Hundreds of Orgs
Related: CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks