⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..
CVE-2018-15961 — Unrestricted File Upload in Adobe Coldfusion
Severity
9.8CRITICALNVD
EPSS
94.4%
top 0.02%
CISA KEV
KEV
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedSep 25
KEV addedNov 3
KEV dueMay 3
Latest updateMay 13
CISA Required Action: Apply updates per vendor instructions.
Description
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages2 packages
▶CVEListV5adobe/coldfusionJuly 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier versions
🔴Vulnerability Details
3💥Exploits & PoCs
2Nuclei▶
Adobe ColdFusion - Unrestricted File Upload Remote Code Execution
🔍Detection Rules
1Suricata▶
ET WEB_CLIENT [Volex] Possible ColdFusion Unauthenticated Upload Attempt (CVE-2018-15961)↗2018-11-13
📋Vendor Advisories
1🕵️Threat Intelligence
3Tenable▶
APT Malware Activity Detected Exploiting a Patched ColdFusion Vulnerability (CVE-2018-15961)↗2018-11-08