Adobe Issues Emergency Patch for Critical ColdFusion Vulnerability with PoC Exploit

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

Adobe has issued an out-of-band security update to address a critical vulnerability identified as CVE-2024-53961 in its ColdFusion software, which is actively being abused through proof-of-concept (PoC) exploit code.  

The vulnerability arises from a path traversal flaw that affects Adobe ColdFusion versions 2023 and 2021. If exploited, it can allow attackers to read arbitrary files on compromised servers, raising significant concerns over potential data breaches.  

"Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read," the company stated in an advisory released on Monday. To underscore the urgency, the vulnerability has been classified as "Priority 1," indicating a heightened risk of active exploitation in the wild.  

Adobe has released ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12 to mitigate the vulnerability. Administrators have been urged to install these patches immediately, with Adobe recommending deployment "within 72 hours."  

Additionally, Adobe advises users to apply security configuration settings outlined in its ColdFusion 2023 and ColdFusion 2021 lockdown guides. To deter insecure operations further, the company has updated its serial filter documentation to prevent Wddx deserialization attacks, another avenue for exploitation.  

Though Adobe has not confirmed whether the vulnerability has been exploited in the wild, the threat is deemed severe enough to warrant action. Path traversal vulnerabilities, such as this one, are a longstanding issue within cybersecurity.  

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has been particularly vocal about the dangers of such flaws. 

According to CISA, path traversal vulnerabilities (classified as CWE-22 and CWE-23) allow attackers to access sensitive data, such as credentials, which can then be used for brute-force attacks or system breaches. CISA has labeled these vulnerabilities "unforgivable" because they remain far too prevalent in modern systems.

Many of the attacks are only enabled by the fact that users do not apply the latest patches and keep using outdated software. However, there are also cases when fixes are not available due to end-of-life status.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: