Adobe on Monday warned that proof-of-concept (PoC) code exists for a fresh ColdFusion vulnerability.
Tracked as CVE-2024-53961 (CVSS score of 7.4), the security defect is described as a path traversal issue leading to arbitrary file system read if the ‘pmtagent’ package is installed on the ColdFusion server.
“An attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application. This could lead to the disclosure of sensitive information or the manipulation of system data,” a NIST advisory reads.
Although the flaw has a ‘high severity’ rating based on its CVSS score, Adobe considers it critical, marking it as ‘Priority 1’ and warning that it has a high risk of being targeted in attacks.
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” the company warns.
The vulnerability affects ColdFusion 2023 update 11 and earlier and ColdFusion 2021 update 17 and earlier and was resolved with the release of ColdFusion 2023 update 12 and ColdFusion 2021 update 18.
ColdFusion installations should be updated as soon as possible and Adobe also recommends reviewing its lockdown guides for the affected versions and ensuring that the Performance Monitoring Toolset (PMT) server is up and running during the update, if PMT is in use.
Vulnerabilities in Adobe ColdFusion have long been an attractive target for threat actors. Last week, the US cybersecurity agency CISA warned that an improper access control defect in ColdFusion patched in March 2024 has been exploited in the wild. The flaw is tracked as CVE-2024-20767.
In December last year, CISA warned that a ColdFusion bug leading to arbitrary code execution had been exploited in attacks targeting servers belonging to a federal civilian executive branch (FCEB) agency. Tracked as CVE-2023-26360, the defect was patched in March 2023, after being exploited in the wild.
