Adobe releases out-of schedule patch for a ColdFusion flaw with a exploit PoC
Take action: If you are running ColdFusion 2023 or ColdFusion 2021 plan for a quick patch and apply the lockdown measures. While exploits haven't started, the urgency of this patch and reaction of Adobe out regular schedule is indicator enough. Don't delay.
Learn More
Adobe has released security updates for ColdFusion versions 2023 and 2021 to address a vulnerability that has an exploit PoC in the wild that can be used to create a real attack. While exploitation status in the wild is currently undisclosed, the existence of a proof-of-concept exploit and Adobe's urgent response means users should not delay patching.
The vulnerability is tracked as CVE-2024-53961 (CVSS score 7.4) and is a path traversal weakness that could allow attackers to perform arbitrary file system reads on vulnerable servers. Adobe confirms the existence of a proof-of-concept exploit, leading to a Priority 1 severity rating.
Affected versions include:
- ColdFusion 2023 Update 11 and earlier
- ColdFusion 2021 Update 17 and earlier
The fixes are available in:
- ColdFusion 2023 Update 12
- ColdFusion 2021 Update 18
Adobe recommends implementing these patches within 72 hours and applying security configurations detailed in their lockdown guides.
