ALERT: Update Adobe ColdFusion for vulnerability

A critical vulnerability has been discovered in Adobe ColdFusion (a web application development platform) that could allow for arbitrary code execution. The vulnerability has been exploited in the wild. Install the updates provided by Adobe immediately after appropriate testing.

Successful exploitation of this vulnerability could result in an attacker executing arbitrary code in the context of the affected application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Adobe is aware of a report that the vulnerability has been exploited in the wild.

• Install the updates provided by Adobe immediately after appropriate testing. See Adobe Security bulletin: Security updates available for ColdFusion | APSB19-14 for links and details.

The vulnerability is a file upload restriction bypass vulnerability that could allow to arbitrary code execution (CVE-2019-7816). The attack would require the ability to upload executable code to a web-accessible directory and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack.

• Adobe Security bulletin: Security updates available for ColdFusion | APSB19-14 (Adobe, 3/1/19)
• CVE-2019-7816
• Adobe Patches ColdFusion Vulnerability Exploited in the Wild (Security Week, 3/1/19)
• Adobe Patches Critical ColdFusion Vulnerability With Active Exploit (Threat Post, 3/1/19)