Adobe has released out-of-band security updates to address a critical ColdFusion vulnerability with proof-of-concept (PoC) exploit code.
In an advisory released on Monday, the company says the flaw (tracked as CVE-2024-53961) is caused by a
path traversal weakness that impacts Adobe ColdFusion versions 2023 and 2021 and can enable attackers to read arbitrary files on vulnerable servers.
"Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read," Adobe
said today, while also cautioning customers that it assigned a "Priority 1" severity rating to the flaw because it has a "a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform."
The company advises administrators to install today's emergency security patches (ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12) as soon as possible, "for example, within 72 hours," and apply security configuration settings outlined in the
ColdFusion 2023 and
ColdFusion 2021 lockdown guides.
