InfoSecBulletin Cybersecurity for mankind
Adobe has issued urgent security updates for ColdFusion versions 2023 and 2021 to fix a critical vulnerability (CVE-2024-53961). This flaw allows attackers to read arbitrary files from the system, risking exposure of sensitive data and configuration files. It results from improper path limitations, enabling unauthorized access outside the intended directory.
Proof-of-Concept Exploit Exists:
Sleeping Beauty
Researchers Bypassed CrowdStrike Falcon Sensor partially
CVE-2025-22224
41,500+ VMware ESXi Instances Vulnerable to Attacks
Register Now
AI Engineering Hackathon: Registration Open
Cisco alerts about a Webex flaw that exposes credentials
NVIDIA Issues Warning of Multiple Vulnerabilities
Update Now
Chrome 134 Released, Fixes 14 Vulnerabilities
Broadcom Patches 3 VMware Zero-Days Exploited In Attacks
Singapore issues new guidelines for data center and cloud services
Update Alert!
Google Warns of Critical Android Vulns Under Attack
CISA adds Cisco and Windows vulns as actively exploited
Adobe has confirmed a proof-of-concept exploit for CVE-2024-53961, indicating that attackers can exploit this vulnerability. Users should update their ColdFusion installations immediately.
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobe said today, while also cautioning customers that it assigned a “Priority 1” severity rating to the flaw because it has a “a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.”
CISA warned in May that software companies should fix path traversal security bugs before releasing products, as attackers can exploit these vulnerabilities to access sensitive data, including credentials used to breach accounts and systems.
In July 2023, CISA directed federal agencies to secure their Adobe ColdFusion servers by August 10th due to two critical vulnerabilities (CVE-2023-29298 and CVE-2023-38205), one of which was a zero-day exploit.
The U.S. cybersecurity agency reported a year ago that hackers had exploited a ColdFusion vulnerability (CVE-2023-26360) to access outdated government servers since June 2023. This flaw was also used in limited zero-day attacks since March 2023.
