Adobe has issued urgent security updates for ColdFusion versions 2023 and 2021 to fix a critical vulnerability (CVE-2024-53961). This flaw allows attackers to read arbitrary files from the system, risking exposure of sensitive data and configuration files. It results from improper path limitations, enabling unauthorized access outside the intended directory.
Indian government and educational websites, along with reputable financial brands, have experienced SEO poisoning, causing user traffic to be redirected...
A serious authentication bypass vulnerability in SonicWall firewalls, called CVE-2024-53704, is currently being exploited, according to cybersecurity firms. The increase...
RedMike (Salt Typhoon) targeted university devices in Bangladesh, likely to access research in telecommunications, engineering, and technology, especially from institutions...
Adobe has confirmed a proof-of-concept exploit for CVE-2024-53961, indicating that attackers can exploit this vulnerability. Users should update their ColdFusion installations immediately.
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,” Adobe said today, while also cautioning customers that it assigned a “Priority 1” severity rating to the flaw because it has a “a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.”
CISA warned in May that software companies should fix path traversal security bugs before releasing products, as attackers can exploit these vulnerabilities to access sensitive data, including credentials used to breach accounts and systems.
Source: Adobe
In July 2023, CISA directed federal agencies to secure their Adobe ColdFusion servers by August 10th due to two critical vulnerabilities (CVE-2023-29298 and CVE-2023-38205), one of which was a zero-day exploit.
The U.S. cybersecurity agency reported a year ago that hackers had exploited a ColdFusion vulnerability (CVE-2023-26360) to access outdated government servers since June 2023. This flaw was also used in limited zero-day attacks since March 2023.