Cybersecurity and Infrastructure Security Agency (CISA) has added two critical security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild. The affected software, Adobe ColdFusion and Oracle Agile PLM, present significant risks to network security, potentially leading to arbitrary code execution and complete system takeover.
The first vulnerability, CVE-2017-3066, affects older versions of Adobe ColdFusion, a web application development platform. This critical flaw, with a CVSS score of 9.8, stems from a Java deserialization vulnerability within the Apache BlazeDS library. Attackers exploiting this vulnerability can potentially execute arbitrary code on affected systems, granting them unfettered access. Notably, a proof-of-concept exploit for this vulnerability is publicly available, amplifying the risk of widespread exploitation.
Systems running ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, and ColdFusion 10 Update 22 and earlier are particularly at risk.
The second vulnerability, CVE-2024-20953, targets Oracle Agile PLM, a product lifecycle management solution within Oracle Supply Chain. With a CVSS score of 8.8, this vulnerability allows low-privileged attackers with network access via HTTP to compromise affected systems. The vulnerability resides within the Export component of Oracle Agile PLM version 9.3.6. Successful exploitation could lead to complete takeover of the system, potentially exposing sensitive supply chain data and disrupting critical business operations.
The ease of exploitation, coupled with the potential for widespread impact, makes this vulnerability a significant concern for organizations relying on Oracle Agile PLM.
Despite the lack of specific details regarding the scope and origin of the attacks, CISA’s inclusion of these vulnerabilities in the KEV catalog indicates a serious and ongoing threat. The agency has issued a clear directive to Federal Civilian Executive Branch (FCEB) agencies, mandating that they patch their systems by March 17, 2025. While this deadline specifically targets FCEB agencies, all organizations using the affected software are strongly advised to prioritize patching immediately.
Related Posts:
- CVE-2024-20767: Critical Adobe ColdFusion Flaw Exposes Sensitive Files, PoC Published
- PoC Exploit Emerges for Adobe ColdFusion CVE-2024-53961—Apply Security Updates Now
- CISA warns of critical Adobe ColdFusion flaw (CVE-2023-26359) exploited in the wild
- Critical Windows and Adobe ColdFusion Vulnerabilities Actively Exploited in the Wild, PoC Exploit Published
- CVE-2024-21287: Critical Zero-Day Exploited in Oracle Agile PLM
