Adobe is readying a patch for a critical vulnerability in its ColdFusion Web application server that is being used in attacks right now. The vulnerability affects several versions of ColdFusion running on Windows, Unix and OS X.

The flaw, which Adobe plans to patch on May 14, can be used by a remote attacker to retrieve files from affected servers. There is a public exploit available for the vulnerability, making the patch a high priority for enterprises running ColdFusion.

“There are reports that an exploit for this vulnerability is publicly available.  ColdFusion customers who have restricted public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories (as outlined in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide) are already mitigated against this issue,” Adobe said in its advisory.

The company recommends that customers running vulnerable versions of ColdFusion, which include 10, 9, 9.02 and 9.01, follow the recommendations in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide to help install mitigations that will prevent exploitation of this vulnerability.


Categories: Vulnerabilities, Web Security