Escanear grátis
LOWCVE-2026-27308CVSS 2.4

ColdFusion | Uncontrolled Resource Consumption (CWE-400)

traduzindo…

Plataforma

coldfusion

Componente

coldfusion

Corrigido em

2025.6.1

AI Confidence: highNVDEPSS 0.0%Revisado: mai. de 2026
Ver no NVD
Salvar
Traduzindo para o seu idioma…

CVE-2026-27308 describes an Uncontrolled Resource Consumption vulnerability in ColdFusion. This flaw allows a high-privileged attacker to exhaust system resources, potentially leading to a denial-of-service condition and reduced application performance. The vulnerability affects ColdFusion versions 2023.18, 2025.6, and earlier, but has been resolved in version 2025.6.1.

Impacto e Cenários de Ataquetraduzindo…

Successful exploitation of CVE-2026-27308 can result in a denial-of-service (DoS) condition for the ColdFusion application. An attacker, possessing elevated privileges, can trigger resource exhaustion, causing the application to slow down significantly or become unresponsive. This can disrupt business operations and potentially impact users' ability to access critical services. While the vulnerability doesn't require user interaction, it necessitates an attacker with sufficient permissions to manipulate the ColdFusion environment. The blast radius is limited to the affected ColdFusion application and its underlying infrastructure.

Contexto de Exploraçãotraduzindo…

CVE-2026-27308 has been publicly disclosed on 2026-04-14. The CVSS score is 2.4 (LOW), indicating a relatively low probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing. It is not currently listed on the CISA KEV catalog.

Quem Está em Riscotraduzindo…

Organizations running ColdFusion versions 2023.18, 2025.6, or earlier are at risk. This includes those with legacy ColdFusion deployments, shared hosting environments where ColdFusion is installed, and those who haven't recently updated their ColdFusion instances.

Passos de Detecçãotraduzindo…

• coldfusion:

Get-Process -Name ColdFusion | Select-Object CPU, WorkingSet, VirtualMemory

• coldfusion:

Get-WinEvent -LogName Application -FilterXPath "*[System[Provider[@Name='ColdFusion']]]" -MaxEvents 100

• generic web: Check ColdFusion application logs for unusual patterns of requests or errors that might indicate resource exhaustion.

Linha do Tempo do Ataque

  1. Disclosure

    disclosure

Inteligência de Ameaças

Status do Exploit

Prova de ConceitoDesconhecido
CISA KEVNO
Exposição na InternetMédia
Relatórios1 relatório de ameaça

EPSS

0.02% (percentil 6%)

CISA SSVC

Exploraçãonone
Automatizávelno
Impacto Técnicopartial

Vetor CVSS

INTELIGÊNCIA DE AMEAÇAS· CVSS 3.1CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L2.4LOWAttack VectorAdjacentComo o atacante alcança o alvoAttack ComplexityLowCondições necessárias para explorarPrivileges RequiredHighNível de autenticação necessárioUser InteractionNoneSe a vítima precisa tomar uma açãoScopeUnchangedImpacto além do componente afetadoConfidentialityNoneRisco de exposição de dados sensíveisIntegrityNoneRisco de modificação não autorizada de dadosAvailabilityLowRisco de interrupção de serviçonextguardhq.com · Pontuação Base CVSS v3.1
O que significam essas métricas?
Attack Vector
Adjacente — exige proximidade de rede: mesma LAN, Bluetooth ou segmento local.
Attack Complexity
Baixa — sem condições especiais. O atacante pode explorar de forma confiável.
Privileges Required
Alto — conta de administrador ou privilegiada necessária.
User Interaction
Nenhuma — ataque automático e silencioso. A vítima não faz nada.
Scope
Inalterado — impacto limitado ao componente vulnerável.
Confidentiality
Nenhum — sem impacto na confidencialidade.
Integrity
Nenhum — sem impacto na integridade.
Availability
Baixo — negação de serviço parcial ou intermitente.

Software Afetado

Componentecoldfusion
FornecedorAdobe
Faixa afetadaCorrigido em
0.0.0 – 2025.62025.6.1

Classificação de Fraqueza (CWE)

CWE-400

Linha do tempo

  1. Reservado
  2. Publicada
  3. Modificada
  4. EPSS atualizado

Mitigação e Soluções Alternativastraduzindo…

The primary mitigation for CVE-2026-27308 is to upgrade ColdFusion to version 2025.6.1 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as rate limiting requests to the ColdFusion application. Monitor system resource utilization (CPU, memory, disk I/O) for unusual spikes that could indicate exploitation attempts. After upgrading, confirm the vulnerability is resolved by attempting to reproduce the resource exhaustion condition and verifying that it no longer occurs.

Como corrigirtraduzindo…

Adobe recomienda actualizar a la versión 2025.6.1 o posterior para mitigar esta vulnerabilidad.  La actualización corrige el problema de consumo excesivo de recursos que podría llevar a una denegación de servicio. Consulte la página de Adobe Security Advisory APSB26-38 para obtener más detalles e instrucciones de actualización.

Boletim de Segurança CVE

Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.

Perguntas frequentestraduzindo…

What is CVE-2026-27308 — DoS in ColdFusion?

CVE-2026-27308 is a denial-of-service vulnerability in ColdFusion affecting versions 0.0.0–2025.6. An attacker can exhaust system resources, impacting application speed.

Am I affected by CVE-2026-27308 in ColdFusion?

You are affected if you are running ColdFusion versions 2023.18, 2025.6, or earlier. Upgrade to 2025.6.1 or later to mitigate the risk.

How do I fix CVE-2026-27308 in ColdFusion?

Upgrade ColdFusion to version 2025.6.1 or later. As a temporary workaround, implement rate limiting for requests to the application.

Is CVE-2026-27308 being actively exploited?

There are currently no reports of active exploitation, and no public proof-of-concept code is available.

Where can I find the official ColdFusion advisory for CVE-2026-27308?

Refer to the Adobe Security Bulletin for CVE-2026-27308 on the Adobe website.

Seu projeto está afetado?

Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.

Escanear grátisBuscar CVEs