Adobe releases out-of-band update to patch ColdFusion zero-day

ColdFusion developers spot new zero-day exploited in the wild.

Companies are fast to spot vulnerabilities but lazy to patch them, report Most enterprise vulnerabilities remain unpatched a month after discovery.

Adobe has released today an emergency out-of-band update for its ColdFusion development platform that patches a zero-day vulnerability that was being exploited in the wild.

In its security bulletin that was just sent out, Adobe described the vulnerability as a "file upload restriction bypass" and gave it a rating of "critical."

"This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack," Adobe said.

The zero-day, tracked as CVE-2019-7816, impacts the current three versions of the ColdFusion platform that are still maintained -- ColdFusion 11, 2016, and 2018.

Adobe released the ColdFusion 11 Update 18, ColdFusion 2016 Update 10, and ColdFusion 2018 Update 3 versions to patch the bug. The company said all previous versions are vulnerable to this attack.

The software maker's usual patch day this month would have been on March 12, on the same day as Microsoft's Patch Tuesday.

Adobe credited five researchers for finding the zero-day --Charlie Arehart, Moshe Ruzin, Josh Ford, Jason Solarek, and Bridge Catalog Team. All are ColdFusion developers and support specialists, and not security researchers, the type of people who usually discover and report active zero-day exploitation.

Back in November, a Chinese nation-state cyber-espionage group exploited a similar ColdFusion file upload vulnerability to take over vulnerable servers on which owners did not apply Adobe's September 2018 security updates.

Adobe did not reveal how today's zero-day was exploited in the wild.

Related cybersecurity news coverage: