Adobe Patches Critical ColdFusion and InDesign RCE Vulnerabilities
- [01] Critical RCE vulnerabilities in ColdFusion and InDesign allow attackers to execute arbitrary code and gain full control over affected systems.
- [02] The flaws impact Adobe ColdFusion 2021 and 2023, Acrobat, Reader, Adobe Commerce, and various Substance 3D applications.
- [03] Security teams must prioritize updating ColdFusion to version 2023 Update 9 or 2021 Update 15 to mitigate immediate exploitation risks.
Adobe has released a substantial security update addressing 55 CVE IDs across 11 different products. According to SecurityWeek, the software giant identifies the vulnerabilities in ColdFusion as having the highest risk of exploitation, despite none of the flaws being listed as under active attack at the time of disclosure.
Adobe ColdFusion CVE-2024-41874 Patch Guidance
The most severe vulnerability addressed in this cycle is CVE-2024-41874, which carries a CVSS score of 9.8. This flaw is an improper limitation of a pathname to a restricted directory (‘Path Traversal’) that can result in RCE. Attackers targeting ColdFusion environments often seek to exploit such flaws to bypass security controls and execute malicious commands with the privileges of the web server service.
Organizations running ColdFusion 2023 (Update 8 and earlier) or ColdFusion 2021 (Update 14 and earlier) are at risk. Adobe categorizes this as a Priority 1 update, meaning it is a high-value target for APT groups and ransomware operators. Proper Adobe ColdFusion CVE-2024-41874 patch guidance involves upgrading to version 2023 Update 9 or 2021 Update 15 and ensuring the ColdFusion JDK is updated to the latest long-term support version.
Critical Risks in Design and Document Software
Beyond server-side tools, Adobe’s creative suite faces significant exposure. Adobe InDesign was patched for multiple critical flaws, including CVE-2024-41823, a heap-based buffer overflow that could allow code execution if a user opens a specially crafted file. This type of vulnerability is frequently leveraged in targeted Phishing campaigns where victims are enticed to open malicious document attachments. Security researchers are advising organizations on how to detect Adobe InDesign RCE exploit attempts by monitoring for unusual child processes spawning from InDesign.exe.
Adobe Acrobat and Reader also received fixes for 13 vulnerabilities. The most concerning of these is CVE-2024-41869, a use-after-free vulnerability that leads to code execution. Given the ubiquity of PDF readers in corporate environments, the Adobe Acrobat Reader security update September 2024 should be deployed across all workstations to prevent initial access via malicious documents.
Impact on Substance 3D and E-Commerce
The Substance 3D product line, including Sampler, Stager, Designer, and Painter, saw several updates for memory corruption issues. While these products are more specialized, they remain viable entry points for attackers seeking Lateral Movement within creative or manufacturing sectors. Furthermore, Adobe Commerce (formerly Magento) was patched for CVE-2024-41855, a critical vulnerability that could lead to Privilege Escalation without requiring user interaction.
Recommended Mitigations
Security administrators should follow these steps to secure their environments:
- Prioritize Server-Side Updates: Update ColdFusion immediately, as these instances are frequently scanned by automated exploit kits.
- Audit Desktop Installations: Use software inventory tools to ensure all instances of Acrobat and Reader are updated to versions 24.003.20112 (Continuous) or 20.005.30655 (Classic).
- Implement File Blocking: Restrict the opening of InDesign (.indd) or Substance 3D files from untrusted external sources until patches are applied.
- Verify Adobe Commerce Patches: Ensure Magento Open Source and Adobe Commerce installations are running versions 2.4.7-p2, 2.4.6-p7, or 2.4.5-p9.
Advertisement