Adobe Systems released an emergency update for the ColdFusion application server to fix a critical remote code execution that’s already being exploited by attackers.
The vulnerability, tracked as CVE-2019-7816, is located in the upload functionality and is described as an upload restriction bypass. Attackers can exploit the flaw to upload executable code to a web-accessible directory and then execute it via an HTTP request.
The flaw affects ColdFusion 11, 2016 and 2018 and successful exploitation results in arbitrary code execution with the privileges of the ColdFusion service.
In addition to patching the flaw, Adobe has made several changes that can help mitigate this issue. It introduced a new application setting called blockedExtForFileUpload, added a new server option called…