Adobe has released an out-of-band security update to address a ColdFusion vulnerability with proof-of-concept (PoC) exploit code.
In a statement released on Monday, December 23, 2024, the company said that the vulnerability was caused by a path traversal weakness affecting Adobe ColdFusion versions 2023 and 2021. This could allow attackers to read arbitrary files on the vulnerable server.
“Adobe is aware that CVE-2024-53961 has a known proof of concept that can lead to arbitrary file system reading,” Adobe said, while also warning customers that they have assigned a severity rating of “Priority 1” to the vulnerability due to its “higher risk of being targeted by exploitation in the wild for certain product versions and platforms.”
The company advises administrators to immediately install the emergency security patches (ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12), “for example, within 72 hours,” and to apply the security configuration settings described in the ColdFusion 2023 and ColdFusion 2021 lockdown guides.
Although Adobe has not disclosed whether this vulnerability has been exploited in the real world, they advised customers today to review the updated serial filter documentation for more information on how to block unsafe Wddx deserialization attacks.
As warned by CISA in May when urging software companies to eliminate path traversal security bugs before releasing their products, attackers can exploit these vulnerabilities to access sensitive data, including credentials that can be used to brute-force existing accounts and compromise the target system.
Vulnerabilities such as directory traversal have been deemed ‘unforgivable’ since 2007. Despite these findings, directory traversal vulnerabilities (such as CWE-22 and CWE-23) remain a common class of vulnerabilities,” CISA said.
Last year, in July 2023, CISA also ordered federal agencies to secure their Adobe ColdFusion servers before August 10 against two critical security vulnerabilities (CVE-2023-29298 and CVE-2023-38205) that were exploited in attacks, one of which was a zero-day.
US cybersecurity agencies also revealed a year ago that hackers had exploited another critical ColdFusion vulnerability (CVE-2023-26360) to breach outdated government servers since June 2023. The same vulnerability has been actively exploited in “very limited” zero-day attacks since March 2023.
Source:
https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-coldfusion-bug-with-poc-exploit-code
https://helpx.adobe.com/security/products/coldfusion/apsb24-107.html
https://www.bleepingcomputer.com/news/security/cisa-urges-software-devs-to-weed-out-path-traversal-vulnerabilities