CVE-2024-20767
Published: 18 March 2024
Summary
CVE-2024-20767 is a high-severity Improper Access Control (CWE-284) vulnerability in Adobe Coldfusion. Its CVSS base score is 7.4 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).
Deeper analysis
Adobe ColdFusion versions 2023.6, 2021.12 and earlier contain an Improper Access Control vulnerability (CWE-284) that permits arbitrary file-system reads. The flaw affects the administrative interface and carries a CVSS 3.1 score of 7.4, reflecting network attack vector, high attack complexity, and no required privileges or user interaction.
An unauthenticated attacker who can reach an internet-exposed ColdFusion admin panel can read or modify otherwise restricted files on the underlying server. Exploitation does not depend on user interaction and succeeds solely by sending crafted requests to the exposed administrative endpoints.
Adobe’s APSB24-14 bulletin details the affected builds and remediation steps, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog. The associated EPSS score has reached a peak of 0.9668 and currently stands at 0.9409, confirming sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-18482
Vulnerability details
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not…
more
require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.
- CWE(s)
- KEV Date Added
- 16 December 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access restrictions on the ColdFusion admin panel and underlying file system, blocking the unauthorized reads that define CVE-2024-20767.
Requires explicit authorization and control of remote connections to the administrative interface, eliminating the internet exposure the vulnerability requires.
Applies boundary protections and network segmentation to keep the ColdFusion admin panel off untrusted networks, stopping the network attack path.