Adobe has rolled out urgent security updates to address a critical vulnerability in its ColdFusion software.

The flaw, tracked as CVE-2024-53961, is caused by a path traversal weakness that affects Adobe ColdFusion 2023 and 2021. This vulnerability could allow attackers to access arbitrary files on compromised servers.

In an advisory issued on Monday, Adobe confirmed the existence of a proof-of-concept (PoC) exploit for the flaw and warned that it poses a high risk of being actively targeted. The company classified the issue as “Priority 1,” urging users to act immediately.

“Adobe is aware of a known proof-of-concept for CVE-2024-53961 that could enable arbitrary file system read,” the company said. It strongly recommended that administrators apply the provided patches—ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12—within 72 hours. These updates come with specific security configuration guidelines outlined in the ColdFusion lockdown guides.

Though Adobe hasn’t confirmed any real-world exploitation of this vulnerability, it also advised users to consult its updated serial filter documentation. This documentation provides insights into defending against insecure Wddx deserialization attacks, a related threat vector.

Buy Me a Coffee

Why This Vulnerability Matters

Path traversal vulnerabilities like this are particularly dangerous. Attackers can use them to access sensitive information, such as credentials, that could be leveraged for further attacks like brute-forcing accounts or infiltrating systems.

The Cybersecurity and Infrastructure Security Agency (CISA) has long warned about the severity of such flaws. In May, it called on software vendors to eliminate these vulnerabilities before releasing their products. CISA highlighted that directory traversal issues (such as CWE-22 and CWE-23) have been a persistent problem for years.

READ
Cloudflare Mitigates Record-Breaking 5.6 Tbps DDoS Attack Amid Surge in Hyper-Volumetric Assaults

Last year, CISA issued directives to federal agencies to secure Adobe ColdFusion servers after two critical vulnerabilities (CVE-2023-29298 and CVE-2023-38205) were found being exploited, including one as a zero-day. Another critical ColdFusion flaw (CVE-2023-26360) was also actively used in attacks targeting outdated government servers.

What You Should Do

If you’re running Adobe ColdFusion 2023 or 2021, it’s critical to act now. Apply the emergency updates immediately and ensure your server configurations follow Adobe’s lockdown recommendations. Proactive measures like these can help prevent exploitation and safeguard your systems from potential attacks.