Adobe has fixed a critical vulnerability in the ColdFusion application. This exploit made it possible for malicious parties to obtain root rights via Remote Code Execution (RCE) and thus gain access to sensitive data. The American technology company and the National Cyber Security Center (NCSC) advise installing the security patch as soon as possible.
Adobe and the NCSC report this in a recent Security Advisory.
Adobe releases patch outside update schedule
Adobe ColdFusion is a program for developing web applications based on the programming language CFML (ColdFusion Markup Language). Normally, Adobe rolls out updates at fixed times. The current patch was released outside of this update schedule because it addresses a serious vulnerability.
The exploit is known as CVE-2023-38203 and has been labelled ‘critical’. The vulnerability could allow hackers and cybercriminals to execute malicious code to remotely gain administrator or root privileges. They can search corporate networks for confidential or privacy-sensitive information with such rights.
Adobe expects hackers to exploit vulnerability
Due to the vulnerability’s impact on business operations, it has been assigned a CVSS score of 9.8. CVSS stands for Common Vulnerability Scoring System and indicates the severity of an exploit. The higher this number, the greater the risk that companies run.
There are no signs that cybercriminals have exploited this vulnerability. Adobe expects this to happen shortly. Therefore, the company advises customers to install the security update as soon as possible. These are ColdFusion 2018 Update 18, ColdFusion 2021 Update 8 and ColdFusion 2023 Update 2.Adobe credits cybersecurity specialists Rahul Maini, Harsh Jaiswal and MoonBack (ipplus360) for discovering and reporting the vulnerability to the company.