Adobe has released out-of-band updates to address a zero-day vulnerability in the ColdFusion web application development platform that has been exploited in the wild.
The vulnerability, tracked as CVE-2019-7816, has been described by the vendor as a file upload restriction bypass issue that could lead to arbitrary code execution in the context of the ColdFusion service.
“Adobe has released security updates for ColdFusion versions 2018, 2016 and 11. These updates resolve a critical vulnerability that could lead to arbitrary code execution in the context of the running ColdFusion service. ” reads the security advisory published by Adobe.
“Adobe is aware of a report that CVE-2019-7816 has been exploited in the wild.”
The zero-day vulnerability has been addressed in ColdFusion 11, ColdFusion 2016 and ColdFusion 2018.
The company is urging users to install the updates and to apply security configuration settings reported lockdown guides and the ColdFusion security page.
The flaw allows an attacker to upload executable code to a directory than is accessible online, and then execute that code via an HTTP request.
“This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack,” reads a note published by Adobe in the advisory.
The company did not provide additional details about the attacks leveraging this zero-day.
Adobe credited Charlie Arehart, Moshe Ruzin, Josh Ford, Jason Solarek and Bridge Catalog Team for reporting the vulnerability.
In November, another flaw in ColdFusion was exploited by threat actors in attacks in the wild. Security experts from
The flaw, tracked as CVE-2018-15961, is an unrestricted file upload vulnerability, successful exploitation could lead to arbitrary code execution.
The analysis of the hacked server revealed that it had all ColdFusion updates installed, except for the CVE-2018-15961 fix. Attackers exploited the flaw, a couple of weeks after Adobe released the security patches.