Cyber Resilience

CVE-2018-15961

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 25 September 2018

Published
25 September 2018
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9439 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-15961 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

Adobe ColdFusion versions 2018.0.0.310739 (July 12 release), Update 6 and earlier, and Update 14 and earlier contain an unrestricted file upload vulnerability, identified as CVE-2018-15961 and associated with CWE-434. The affected component permits upload of files without sufficient type or content restrictions on the server.

Remote attackers can exploit the flaw over the network without authentication or user interaction. Successful exploitation results in arbitrary code execution with full impact to confidentiality, integrity, and availability, consistent with the CVSS 9.8 rating.

Adobe published security bulletin APSB18-33 to address the issue. Public exploit code for the vulnerability is available on Exploit-DB.

EU & UK References

Vulnerability details

Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
coldfusion
11.0, 2016, 2018

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of file uploads to enforce allowed types and content, blocking the unrestricted upload vector in ColdFusion.

preventdetect

Requires malicious-code scanning and blocking on all inputs including uploaded files, preventing the arbitrary code execution that follows exploitation of CVE-2018-15961.

prevent

Enforces access-control policy on the upload function itself, ensuring only authorized, validated operations can write files to the server.

References