Update now! Critical Adobe ColdFusion flaw now being exploited – Naked Security

Adobe has issued an urgent out-of-band patch for a critical flaw in the ColdFusion web development platform it says is being exploited in the wild.

The company’s APSB19-14 bulletin is light on detail but describes the issue as a “file upload restriction bypass” affecting ColdFusion 2018 update 2 and earlier, 2016 update 9 and earlier, and 17 and earlier:

This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request.  Restricting requests to directories where uploaded files are stored will mitigate this attack.