Adobe recently issued a patch for a high-severity vulnerability for ColdFusion versions 2023.11 and 2021.17 and earlier; according to the National Institute of Standards and Technology  (NIST), “an attacker could exploit this vulnerability to access files or directories that are outside of the restricted directory set by the application. This could lead to the disclosure of sensitive information or the manipulation of system data.”  The patches, ColdFusion (2023 release) Update 12 (release date, December 23, 2024) “resolves a critical vulnerability that could lead to arbitrary file system read, if the pmtagent package is installed on your ColdFusion server.”

The vulnerability, referred to as CVE-2024-53961, is considered critical, and Adobe has marked it as Priority 1, “warning that it has a high risk of being targeted in attacks.” Adobe recommends that companies using ColdFusion should install the patches as soon as possible.