Cyber Resilience

CVE-2018-4939

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 19 May 2018

Published
19 May 2018
Modified
23 October 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5050 97.9th percentile
Risk Priority 70 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-4939 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe ColdFusion Update 5 and earlier versions, along with ColdFusion 11 Update 13 and earlier versions, contain a deserialization of untrusted data vulnerability tracked as CVE-2018-4939 and CWE-502. The flaw carries a CVSS 3.1 score of 9.8 and permits arbitrary code execution when untrusted data is processed without adequate validation.

Remote attackers can exploit the issue over the network without authentication or user interaction by supplying crafted serialized payloads that the affected ColdFusion instances deserialize, resulting in full control of the application process and underlying system.

The Adobe security bulletin APSB18-14 and associated patches address the vulnerability through updates that correct the deserialization handling. The entry also appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.

EU & UK References

Vulnerability details

Adobe ColdFusion Update 5 and earlier versions, ColdFusion 11 Update 13 and earlier versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
coldfusion
11.0, 2016

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted serialized input before deserialization, blocking the crafted payloads that trigger arbitrary code execution in ColdFusion.

prevent

Mandates timely application of vendor patches that correct the unsafe deserialization handling, eliminating the exploitable flaw described in APSB18-14.

preventdetect

Requires integrity verification of software and information to detect or block unauthorized code introduced via malicious deserialized objects.

References