Critical ColdFusion Vulnerability: Urgent Update Needed to Prevent Data Breaches
Adobe has released out-of-band security updates to address a critical vulnerability in ColdFusion (CVE-2024-53961), for which a proof-of-concept exploit already exists. The vulnerability, caused by directory traversal, enables attackers to read arbitrary files on vulnerable servers.
The flaw affects ColdFusion 2023 and 2021 versions, earning a “Priority 1” severity rating due to its high exploitation risk. With a CVSS score of 7.4, administrators are urged to apply security updates (ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12) within 72 hours.
Adobe recommends enhancing security settings as per the ColdFusion lockdown guides for 2023 and 2021 and updating serialization filters to mitigate unsafe deserialization attacks through Wddx.
While no active exploitation has been confirmed, CISA has previously emphasized the importance of addressing such vulnerabilities. Directory traversal flaws, known since 2007, remain significant threats, exposing sensitive data, including credentials.
Last year, CISA mandated updates to ColdFusion to fix critical flaws, including zero-day vulnerabilities such as CVE-2023-26360, actively exploited in attacks on outdated servers.
