coldfusion
修复版本
2025.6.1
CVE-2026-27307 describes an Uncontrolled Resource Consumption vulnerability in ColdFusion. This flaw allows a high-privileged attacker to exhaust system resources, leading to a denial-of-service condition and reduced application performance. The vulnerability impacts ColdFusion versions from 0.0.0 up to and including 2025.6. A patch is available in version 2025.6.1.
Successful exploitation of CVE-2026-27307 allows an attacker to initiate a denial-of-service (DoS) condition within a ColdFusion application. The attacker can trigger excessive resource consumption, such as CPU or memory, effectively slowing down or crashing the application. This can disrupt service availability for legitimate users and potentially impact other services running on the same server. While the vulnerability does not require user interaction, it necessitates an attacker with elevated privileges within the ColdFusion environment to execute the attack.
CVE-2026-27307 was publicly disclosed on 2026-04-14. The vulnerability has a LOW CVSS score, indicating a relatively low probability of exploitation. No public proof-of-concept (PoC) code has been released at the time of writing, and there are no reports of active exploitation campaigns. It is not currently listed on the CISA KEV catalog.
Organizations heavily reliant on ColdFusion for critical business applications are at risk. Environments with limited system resources or those running older, unpatched ColdFusion instances are particularly vulnerable. Shared hosting environments where multiple ColdFusion applications share resources are also at increased risk.
• coldfusion:
Get-Process -Name ColdFusion | Select-Object CPU, WorkingSet• coldfusion:
Get-WinEvent -LogName Application -FilterXPath "*[System[Provider[@Name='ColdFusion']]]" -MaxEvents 100• coldfusion: Review ColdFusion application logs for unusual patterns of resource requests or errors related to resource exhaustion.
disclosure
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-27307 is to upgrade to ColdFusion version 2025.6.1 or later, which includes the fix for this vulnerability. If immediate upgrading is not feasible, consider implementing rate limiting on resource-intensive operations within the ColdFusion application to prevent excessive consumption. Monitoring system resource utilization (CPU, memory) is also recommended to detect potential attacks. After upgrading, confirm the fix by attempting to reproduce the resource exhaustion condition and verifying that it no longer occurs.
Adobe recomienda aplicar la actualización a ColdFusion versión 2025.6.1 o posterior para mitigar la vulnerabilidad de consumo excesivo de recursos. Consulte la página de Adobe Security Advisory APSB26-38 para obtener más detalles e instrucciones de instalación.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-27307 is a denial-of-service vulnerability in ColdFusion affecting versions 0.0.0–2025.6. An attacker can exhaust system resources, leading to application slowdown or crashes.
You are affected if you are running ColdFusion versions 0.0.0 through 2025.6. Upgrade to 2025.6.1 or later to mitigate the risk.
Upgrade to ColdFusion version 2025.6.1 or a later version. Consider rate limiting and monitoring system resources as interim measures.
There are currently no reports of active exploitation campaigns for CVE-2026-27307, but vigilance is still advised.
Refer to the Adobe Security Bulletin for CVE-2026-27307 on the Adobe Security Advisories website.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。