Security News > 2021 > February > Weak ACLs in Adobe ColdFusion Allow Privilege Escalation
A newly disclosed vulnerability in Adobe ColdFusion could be exploited by unprivileged users for the execution of arbitrary code with SYSTEM privileges.
This week, Will Dormann, a security researcher with Carnegie Mellon University's CERT Coordination Center, revealed that the Adobe ColdFusion installer doesn't create a secure access-control list on the default installation directory.
An unprivileged user on a Windows computer, Dormann explains, could place a specially-crafted DLL file within the installation directory of Adobe ColdFusion, which would result in arbitrary code being executed with SYSTEM privileges.
"By default, ColdFusion does not configure itself securely. In order to secure ColdFusion with respect to service privileges, ACLs, and other attributes, the ColdFusion Server Auto-Lockdown installer must be installed in addition to installing ColdFusion itself," he notes.
Mitigations vary depending on the ColdFusion version in use: while auto-lockdown installers are available for ColdFusion 2018 and ColdFusion 2021, users of ColdFusion 2016 will have to apply the changes that Adobe has detailed in the ColdFusion 2016 Lockdown Guide.
ColdFusion has long been a target of threat actors, and Adobe has patched at least a handful of vulnerabilities already exploited in attacks, either on Patch Tuesday or with out-of-band updates.