Pierluigi Paganini
December 24, 2024
Adobe released out-of-band security updates to address a critical vulnerability, tracked as CVE-2024-53961 (CVSS score 7.4), in ColdFusion. Experts warn of the availability of a proof-of-concept (PoC) exploit code for this vulnerability.
The vulnerability is an improper limitation of a pathname to a restricted directory (‘Path Traversal’) that could lead to arbitrary file system readings.
The flaw impacts Adobe ColdFusion versions 2023 and 2021.
“Adobe has released security updates for ColdFusion versions 2023 and 2021. These updates resolve a critical vulnerability that could lead to arbitrary file system read.” reads the advisory.
“Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read,”
The researcher that goes online with the moniker ma4ter reported the vulnerability to the software giant.
The company recommends users update their installations to the newest versions:
| Product | Updated Version | Platform | Priority rating | Availability |
|---|---|---|---|---|
| ColdFusion 2023 | Update 12 | All | 1 | Tech Note |
| ColdFusion 2021 | Update 18 | All | 1 | Tech Note |
At the time of this writing, it is unclear if the company is aware of attacks in the wild exploiting this vulnerability.
In December, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another Adobe ColdFusion issue, tracked as CVE-2024-20767, to its Known Exploited Vulnerabilities (KEV) catalog.
The vulnerability CVE-2024-20767 (CVSS score 7.4) is an Improper Access Control issue in ColdFusion versions 2023.6, 2021.12, and earlier. An attacker can exploit the flaw to gain arbitrary file reads. Exploitation requires an exposed admin panel.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Adobe)
Pierluigi Paganini
September 18, 2025
