CVE-2018-4939
Published: 19 May 2018
Summary
CVE-2018-4939 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Adobe ColdFusion Update 5 and earlier versions, along with ColdFusion 11 Update 13 and earlier versions, contain a deserialization of untrusted data vulnerability tracked as CVE-2018-4939 and CWE-502. The flaw carries a CVSS 3.1 score of 9.8 and permits arbitrary code execution when untrusted data is processed without adequate validation.
Remote attackers can exploit the issue over the network without authentication or user interaction by supplying crafted serialized payloads that the affected ColdFusion instances deserialize, resulting in full control of the application process and underlying system.
The Adobe security bulletin APSB18-14 and associated patches address the vulnerability through updates that correct the deserialization handling. The entry also appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-16724
Vulnerability details
Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted serialized input before deserialization, blocking the crafted payloads that trigger arbitrary code execution in ColdFusion.
Mandates timely application of vendor patches that correct the unsafe deserialization handling, eliminating the exploitable flaw described in APSB18-14.
Requires integrity verification of software and information to detect or block unauthorized code introduced via malicious deserialized objects.