Adobe has released out-of-band updates to address a critical flaw in

ColdFusion web application development platform that has been exploited in the wild.

Adobe has released out-of-band updates to address a zero-day vulnerability in the ColdFusion web application development platform that has been exploited in the wild.

The vulnerability, tracked as CVE-2019-7816, has been described by the vendor as a file upload restriction bypass issue that could lead to arbitrary code execution in the context of the ColdFusion service.

“Adobe has released security updates for ColdFusion versions 2018, 2016 and 11. These updates resolve a critical vulnerability that could lead to arbitrary code execution in the context of the running ColdFusion service. ” reads the security advisory published by Adobe.

“Adobe is aware of a report that CVE-2019-7816 has been exploited in the wild.”

The zero-day vulnerability has been addressed in ColdFusion 11, ColdFusion 2016 and ColdFusion 2018.

The company is urging users to install the updates and to apply security configuration settings reported lockdown guides and the ColdFusion security page.

The flaw allows an attacker to upload executable code to a directory than is accessible online, and then execute that code via an HTTP request.

“This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack,” reads a note published by Adobe in the advisory.

The company did not provide additional details about the attacks leveraging this zero-day.

Adobe credited Charlie Arehart, Moshe Ruzin, Josh Ford, Jason Solarek and Bridge Catalog Team for reporting the vulnerability.

In November, another flaw in ColdFusion was exploited by threat actors in attacks in the wild. Security experts from Volexity reported that attackers in the wild were exploiting a recently patched remote code execution vulnerability affecting the Adobe ColdFusion.

The flaw, tracked as CVE-2018-15961, is an unrestricted file upload vulnerability, successful exploitation could lead to arbitrary code execution.

The vulnerability was reported by Pete Freitag of Foundeo and addressed in September by Adobe (security bulletin APSB18-33).

Researchers from Volexity uncovered a Chinese-based APT group exploiting the vulnerability to upload the China Chopper webshell to a vulnerable server.

The analysis of the hacked server revealed that it had all ColdFusion updates installed, except for the CVE-2018-15961 fix. Attackers exploited the flaw, a couple of weeks after Adobe released the security patches.

Pierluigi Paganini

( SecurityAffairs – Adobe,hacking)

Share this...

Linkedin Reddit Pinterest

Share On