Plataforma
coldfusion
Componente
coldfusion
Corrigido em
2025.6.1
CVE-2026-27305 describes a Path Traversal vulnerability discovered in ColdFusion. This flaw allows an attacker to potentially read arbitrary files from the server's file system, bypassing intended access controls. The vulnerability affects ColdFusion versions from 0.0.0 up to and including 2025.6. A fix is available in version 2025.6.
The impact of this vulnerability is significant due to its potential for unauthorized access to sensitive data. An attacker could exploit this flaw to read configuration files, source code, database credentials, or other confidential information stored on the server. Successful exploitation could lead to data breaches, compromise of system integrity, and potential lateral movement within the network if credentials are exposed. The lack of user interaction required for exploitation further increases the risk, as the vulnerability can be triggered remotely without any user action.
CVE-2026-27305 was publicly disclosed on April 14, 2026. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog as of this writing. While no public proof-of-concept exists, the ease of exploitation inherent in Path Traversal vulnerabilities suggests a potential for rapid exploitation if a PoC is released.
Organizations running ColdFusion applications, particularly those with sensitive data stored on the server, are at risk. This includes businesses relying on ColdFusion for web applications, e-commerce platforms, and internal systems. Legacy ColdFusion deployments and those with weak file system permissions are especially vulnerable.
• coldfusion:
Get-ChildItem -Path "C:\ColdFusion\wwwroot\" -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.FullName -match '\.\.\'}• generic web:
curl -I http://your-coldfusion-server/../../../../etc/passwddisclosure
Status do Exploit
EPSS
0.18% (percentil 39%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-27305 is to upgrade to ColdFusion version 2025.6 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting file system access through web server configuration or employing a Web Application Firewall (WAF) to filter requests that attempt to access files outside the intended directory. Regularly review and harden ColdFusion's configuration to minimize the attack surface. After upgrading, verify the fix by attempting to access files outside the intended directory and confirming that access is denied.
Adobe recomienda actualizar a una versión corregida de ColdFusion, como 2025.6 o posterior, para mitigar la vulnerabilidad de recorrido de ruta. Consulte la página de Adobe Security Advisory (APS) para obtener instrucciones detalladas sobre cómo aplicar la actualización.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-27305 is a Path Traversal vulnerability in ColdFusion affecting versions 0.0.0–2025.6, allowing attackers to read arbitrary files.
If you are running ColdFusion versions 0.0.0 through 2025.6, you are potentially affected and should upgrade immediately.
Upgrade to ColdFusion version 2025.6 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's nature suggests potential for future attacks.
Refer to the Adobe Security Bulletin for CVE-2026-27305 on the Adobe website.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.