Actively Exploited Zero-Day ColdFusion Vulnerability Patched by Adobe

Adobe has issued an out-of-band update to correct the actively exploited ColdFusion vulnerability CVE-2019-7816.

The zero-day flaw in its web application development platform is a file upload restriction bypass issue. If exploited, the flaw could allow remote code execution. At least one threat actor is known to be exploiting the flaw in the wild.

According to Adobe, in order to exploit the flaw, an attacker would need to have the capability of uploading an executable file to a web-accessible directory. The file could then be executed via an HTTP request.

The flaw is present in ColdFusion 2018 update 2 and earlier, ColdFusion 2016 update 9 and earlier, and ColdFusion 11 update 17 and prior versions.

Due to the seriousness of the flaw the decision was taken to release an update. Users of ColdFusion 11, ColdFusion 2016, and ColdFusion 2018 have been advised to install the update as soon as possible to prevent the flaw from being exploited. Adobe recommends applying the update within 72 hours. Alternatively, users could restrict requests to directories where uploaded files are installed to mitigate the issue until the update can be applied.

Adobe has not released any information on how threat actors are exploiting the ColdFusion vulnerability, although security consultant Charlie Arehart, who has been credited with discovering the vulnerability, identified it after it had been used to attack one of his clients. Within days of reporting the flaw to Adobe, the update was released.  

Further threat actors are now likely to get in on the act and start conducting campaigns now the update has been released. It is possible that a method of exploiting the flaw could be devised based on the information that has been released by Adobe. All users should therefore update ColdFusion as soon as possible.

This is not the first out-of-bounds update to be issued by Adobe ahead of March Patch Tuesday. Separate updates were issued for Adobe Reader and Acrobat Reader last week, again to correct flaws that were being actively exploited.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of