Adobe has disclosed a critical security vulnerability (CVE-2024-53961) affecting its ColdFusion web application platform, with confirmation of an active proof-of-concept exploit already in circulation. This development poses significant security risks for organizations utilizing vulnerable versions of the software, necessitating immediate defensive measures.
Path Traversal via pmtagent: Arbitrary File Read Beyond Permitted Directories
The newly identified vulnerability is classified as a path traversal flaw, receiving a CVSS score of 7.4. The security breach enables unauthorized actors to access server file systems through the pmtagent package, potentially exposing sensitive data beyond permitted directories. This capability for arbitrary file reading presents substantial risks to system integrity and data confidentiality.
Vulnerability Scope and Affected Systems
Affected versions:
- ColdFusion 2023 Update 11 and earlier → patch to Update 12
- ColdFusion 2021 Update 17 and earlier → patch to Update 18
Priority 1 Despite CVSS 7.4: Active PoC Exploit Drives Upgrade Urgency
Adobe assigned Priority 1 (Critical) classification despite the moderate CVSS score of 7.4 because a working proof-of-concept exploit is already publicly available. This means exploitation does not require advanced attacker capability — any ColdFusion installation exposed to the internet is at immediate risk. Apply Adobe’s security updates and verify PMT (Performance Monitoring Toolset) functionality post-update, as Adobe notes it may require separate configuration after patching.
