Adobe has released several security updates to address a critical vulnerability in ColdFusion which already has proof of concept (PoC) code for its operation. This vulnerability, identified as CVE-2024-53961allows attackers to read arbitrary files on compromised servers. It was confirmed that Security flaw affects ColdFusion versions 2023 and 2021.
Subscribe to the Softonic Newsletter and receive the latest news in tech, games, entertainment in your inbox
Subscribe (it’s FREE) ►
In a statement released Monday, Adobe said that the vulnerability poses a high risk of being exploited in real-world computer attacks. “Adobe is aware that CVE-2024-53961 has proof-of-concept code that could result in arbitrary reading of file systems,” the company warned. Additionally, it classified the vulnerability with a severity priority “1”indicating an increased risk of active attacks on specific products and platforms.
The company urges system administrators to urgently install security updates (ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12), recommending doing so within a maximum of 72 hours. She also suggested implementing security configurations outlined in the 2021 and 2023 ColdFusion Lockdown Guides to mitigate potential risks.
Although Adobe has not confirmed whether this vulnerability was actively exploited, it has indicated that customers should review the updated documentation on serialization filters to protect against insecure Wddx deserialization attacks. According to the United States Cybersecurity and Infrastructure Security Agency (CISA)this type of vulnerability is particularly dangerous, because it can be used to access sensitive datasuch as identifiers, which could in turn allow unauthorized access to systems.
CISA has already warned in 2023 of several critical vulnerabilities in ColdFusion, forcing US federal agencies to patch servers against attacks. Additionally, she revealed in March of the same year that hackers exploit similar flaws in outdated government servers.
Tech
