Adobe has issued urgent security updates for ColdFusion versions 2023 and 2021 to fix a critical vulnerability (CVE-2024-53961). This flaw allows attackers to read arbitrary files from the system, risking exposure of sensitive data and configuration files. It results from improper path limitations, enabling unauthorized access outside the intended directory.
Cybersecurity researcher Jeremiah Fowler discovered an unsecured database with 170,360 records belonging to a real estate company. It contained personal...
GreyNoise found attempts to exploit CVE-2023-28771, a vulnerability in Zyxel's IKE affecting UDP port 500. The attack centers around CVE-2023-28771,...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included two high-risk vulnerabilities in its Known Exploited Vulnerabilities (KEV)...
SoftBank has disclosed that personal information of more than 137,000 mobile subscribers—covering names, addresses, and phone numbers—might have been leaked...
Adobe has confirmed a proof-of-concept exploit for CVE-2024-53961, indicating that attackers can exploit this vulnerability. Users should update their ColdFusion installations immediately.
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobe said today, while also cautioning customers that it assigned a “Priority 1” severity rating to the flaw because it has a “a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.”
CISA warned in May that software companies should fix path traversal security bugs before releasing products, as attackers can exploit these vulnerabilities to access sensitive data, including credentials used to breach accounts and systems.
Source: Adobe
In July 2023, CISA directed federal agencies to secure their Adobe ColdFusion servers by August 10th due to two critical vulnerabilities (CVE-2023-29298 and CVE-2023-38205), one of which was a zero-day exploit.
The U.S. cybersecurity agency reported a year ago that hackers had exploited a ColdFusion vulnerability (CVE-2023-26360) to access outdated government servers since June 2023. This flaw was also used in limited zero-day attacks since March 2023.