Search
On this page ▾
CVE-2024-20767 — Adobe ColdFusion Improper Access Control Vulnerability

CVE-2024-20767

Adobe ColdFusion — Unauthenticated Admin Panel Access Allows Arbitrary File Read/Write When Admin Panel is Internet-Exposed
⚠️ CVSS 3.1  7.4 / 10 — HIGH 🔴 CISA Known Exploited Vulnerability

What is Adobe ColdFusion?

Adobe ColdFusion is a rapid web application development platform widely used in enterprise and government environments to build dynamic web applications. ColdFusion applications are deployed on servers running ColdFusion Application Server, which includes both a web application runtime and an administrative console. The ColdFusion Administrator panel provides access to server configuration, data source management, file system operations, and code deployment — making it a high-value target. ColdFusion has historically been a frequent target of exploitation because it is often deployed on servers with elevated privileges and direct filesystem access.

Overview

CVE-2024-20767 is an improper access control vulnerability in Adobe ColdFusion that allows an unauthenticated remote attacker to access or modify restricted files via an internet-exposed admin panel. The High Attack Complexity (AC:H) reflects that exploitation requires the ColdFusion Administrator to be accessible from the internet — a configuration that violates Adobe's documented hardening guidance but exists in many real-world deployments. Adobe patched the vulnerability in March 2024 (APSB24-14); CISA added it to the KEV catalog in December 2024, nine months after the patch.

Affected Versions

Product Vulnerable Fixed
Adobe ColdFusion 2023 Update 6 and earlier Update 7
Adobe ColdFusion 2021 Update 12 and earlier Update 13

Technical Details

CWE-284 (Improper Access Control). The ColdFusion Administrator panel — designed to be accessible only to administrators on trusted networks — contains endpoints that fail to properly enforce authentication checks. When the admin panel is exposed to the internet (port 8500 or through the main web port), an unauthenticated attacker can access these endpoints to read sensitive ColdFusion configuration files and, in some cases, write or overwrite files on the server.

Practically, the most dangerous read targets are ColdFusion configuration files (neo-datasource.xml, password.properties) that contain database credentials and ColdFusion admin passwords. The write capability can be used to overwrite ColdFusion mapping configuration to redirect application paths, or to deploy web shells if the attacker can write to web-accessible directories. Together these provide a path from unauthenticated access to full server compromise.

The AC:H rating specifically encodes the requirement that the administrator panel must be internet-accessible — a configuration that is explicitly against Adobe's hardening guide but common enough that the vulnerability has seen real exploitation.

Discovery

Patched in the March 2024 Adobe security update cycle. The nine-month gap to CISA KEV addition is consistent with a pattern of attackers systematically scanning for ColdFusion Administrator panels exposed to the internet and exploiting them once PoC techniques become available. ColdFusion has been a recurring target for this type of exploitation.

Exploitation Context

ColdFusion servers, particularly those in legacy government and enterprise deployments, are often maintained by small teams and may lag significantly behind on patch levels. An internet-exposed ColdFusion Administrator panel is a well-known risk indicator that security scanners and attackers both look for. Exploitation provides initial access to servers running ColdFusion applications, which typically have access to backend databases containing sensitive application data. The December 2024 KEV addition indicates this was actively targeted nearly a year after the patch.

Remediation

  1. Apply Adobe ColdFusion Update 7 (2023) or Update 13 (2021) from Adobe Security Bulletin APSB24-14.
  2. Immediately restrict access to the ColdFusion Administrator panel — it must not be accessible from the internet. Use firewall rules or web server configuration to block external access to the admin port (typically 8500) and admin path (/CFIDE/administrator/).
  3. Audit ColdFusion server logs for unauthorized access to admin endpoints dating back to March 2024.
  4. Review and rotate all credentials stored in ColdFusion configuration files (data source passwords, CFIDE admin passwords) on any server that may have been exposed with an internet-accessible admin panel.
  5. Enable ColdFusion's built-in IP address restriction for the administrator to limit access to specific trusted management IP addresses.

Key Details

PropertyValue
CVE ID CVE-2024-20767
Vendor / Product Adobe — ColdFusion
NVD Published2024-03-18
NVD Last Modified2025-10-23
CVSS 3.1 Score7.4
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
SeverityHIGH
CWE CWE-284 find similar ↗
CISA KEV Added2024-12-16
CISA KEV Deadline2025-01-06
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Required Action

CISA BOD 22-01 Deadline: 2025-01-06. Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Timeline

DateEvent
2024-03-12Adobe releases APSB24-14 patching CVE-2024-20767
2024-03-18CVE formally published
2024-12-16Added to CISA Known Exploited Vulnerabilities catalog — 9 months after patch
2025-01-06CISA BOD 22-01 remediation deadline

References

ResourceType
Adobe Security Bulletin APSB24-14 — CVE-2024-20767 Vendor Advisory
NVD — CVE-2024-20767 Vulnerability Database
CISA KEV Catalog Entry US Government

Last updated: 2026-05-20

Suggest an update ↗

Gavin Hollinger & AI assembled this air-gap friendly HTML