Adobe has warned that a critical vulnerability in its ColdFusion web app development platform for Windows, Mac and Unix is being exploited by attackers.
The software company warned customers about the security hole in an advisory on Friday, adding that there was evidence that it is already being exploited against ColdFusion users.
The vulnerabilities (CVE-2013-0625, CVE-2013-0629, CVE-2013-0631) affect the 10, 9.0.2, 9.0.1 and 9.0 versions on all platforms and would allow an unauthorised user to remotely bypass authentication controls in an attempt to take control of a server. Adobe also said the holes could allow an unauthorised user to access restricted directories or glean information from a compromised server.
The company also noted that two of the vulnerabilities only affect ColdFusion users who have no password set or have not enabled password protection at all.
Adobe said it is working on a patch for the vulnerabilities, which is expected to be available for all platforms on 15 January. Until then, the company recommends configuring a username and password for the Remote Development Service and to disable external access to certain directories (/CFIDE/administrator, /CFIDE/adminapi, /CFIDE/componentutils) for hosted sites.