Cyber Resilience

CVE-2024-20767

HighCISA KEVActive ExploitationEUVD Exploited

Published: 18 March 2024

Published
18 March 2024
Modified
23 October 2025
KEV Added
16 December 2024
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.9409 99.9th percentile
Risk Priority 91 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-20767 is a high-severity Improper Access Control (CWE-284) vulnerability in Adobe Coldfusion. Its CVSS base score is 7.4 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).

Deeper analysis

Adobe ColdFusion versions 2023.6, 2021.12 and earlier contain an Improper Access Control vulnerability (CWE-284) that permits arbitrary file-system reads. The flaw affects the administrative interface and carries a CVSS 3.1 score of 7.4, reflecting network attack vector, high attack complexity, and no required privileges or user interaction.

An unauthenticated attacker who can reach an internet-exposed ColdFusion admin panel can read or modify otherwise restricted files on the underlying server. Exploitation does not depend on user interaction and succeeds solely by sending crafted requests to the exposed administrative endpoints.

Adobe’s APSB24-14 bulletin details the affected builds and remediation steps, while CISA has added the CVE to its Known Exploited Vulnerabilities catalog. The associated EPSS score has reached a peak of 0.9668 and currently stands at 0.9409, confirming sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not…

more

require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.

CWE(s)
KEV Date Added
16 December 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
coldfusion
2021, 2023

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access restrictions on the ColdFusion admin panel and underlying file system, blocking the unauthorized reads that define CVE-2024-20767.

prevent

Requires explicit authorization and control of remote connections to the administrative interface, eliminating the internet exposure the vulnerability requires.

prevent

Applies boundary protections and network segmentation to keep the ColdFusion admin panel off untrusted networks, stopping the network attack path.

References