Adobe has released out of band security updates to address a critical vulnerability affecting ColdFusion 2021, 2016, and 2018 releases.

Today’s emergency updates fix an arbitrary code execution security vulnerability caused by a Bad Input Validation software vulnerability.

Adobe has released ColdFusion 2016 Update 17, ColdFusion 2018 Update 11, and ColdFusion 2021 Update 1 to address the vulnerability and has stated that all previous versions prior to these fixes are vulnerable to attack.

Updates to the latest JDK are also required to secure servers

In today’s security bulletin, Adobe labeled the tracked vulnerability as CVE-2021-21087 with a “priority 2 rating,” assigned to vulnerabilities with no known exploits affecting products historically at high risk.

Adobe recommends that administrators install security updates as soon as possible and apply the security configuration settings described in the ColdFusion 2021, ColdFusion 2018, and ColdFusion 2016 locking guides.

“Adobe recommends updating your ColdFusion JDK / JRE to the latest version of LTS versions for 1.8 and JDK 11,” the company also said.

“Applying ColdFusion Update Without Corresponding JDK Update will NOT secure the server. “

More details on how to apply these updates can be found in the relevant technical notes linked in the integrated table below.

The US National Security Agency (NSA) has listed CVE-2018-4939 (an Adobe ColdFusion 14 bug) as one of the top 25 vulnerabilities used by Chinese state sponsored or financially motivated hackers to exploit public servers .

For example, in November 2018, China-backed hackers took over ColdFusion servers by deploying China Chopper backdoors after exploiting a bug identified as CVE-2018-15961 and fixed two months earlier.

Chinese-language cybercrime group Rocke was also observed earlier that year as it dropped cryptomining malware on the internet by exploiting unpatched Adobe ColdFusion servers for similar bugs.

Another ColdFusion vulnerability, CVE-2018-15961, has been included by the NSA in the list of most exploited bugs for deploying web shells to vulnerable servers.

A prolific hacker gang that has raped numerous companies by exploiting Adobe software has claimed another major blow in the form of automaker Citroën, the Guardian has learned.


Citroën had one of its German websites hacked to include a backdoor, which is a method of bypassing normal authentication systems, and which may have allowed attackers to escape with the data on the site server.

A spokesperson for Citroën Germany said law enforcement should be contacted about the offense because it was a criminal act. Some customer data has been stolen, the spokesperson said, but it is not known how many are affected. Customers have been contacted and will be asked to check their bank accounts for any suspicious transfers.

The attackers managed to enter the backdoor on shop.citroen.de, a fan site to buy Citroën gifts. After the disclosure by The Guardian and Alex Holden, chief information security officer at Hold Security, the backdoor has been removed, but investigations into the breach continue. The backdoor file had been online since at least August 2013.


According to Holden, it was certain that the same actors responsible for the breach of several sites – including Adobe, PR Newswire and the National White Collar Crime Center – were behind the breach of the Citroën site. Last year, security blogger Brian Krebs uncovered a wealth of information gathered during these attacks.


Hackers searched the Internet for weaknesses in an Adobe web application platform known as ColdFusion. “Exploitation has been targeted across the Internet in search of ColdFusion exploits,” Holden said.


If the hackers had decided to steal data from the site, they would have had access to all the information on the server. “To simply explain the backdoor, it provides full command line and SQL database access with the rights of the user running web services, which usually means everything on the web server,” added Holden.

Citroën was not responsible for the operation of the site. He hired the web design company anyMotion to manage his main German website and the affected fan site.

It is not clear whether the credit card information was directly compromised, although Citroën’s advice for customers to check their bank balances would indicate that some sort of financial information was taken. User grocery bags and delivery addresses were also stored on the compromised server.


The passwords used to access the website and administrator passwords to run it have been reset, while buyers were initially barred from making purchases as a precaution.

The breach highlighted the risks facing businesses through third parties. “You can have all the security in the world within the four walls of the company, all you need is a third party vendor who is connected to you, if they are compromised, that compromise has a direct link with your organization, ”said Rocco Grillo, Managing Director and global leader in incident response and forensic investigations at Protiviti, a consulting firm.

“If you outsource to a third party or rely on a third party, you don’t just shut the door and say it’s someone else’s problem. You can outsource the function, but you ultimately bear the risk. If that third party hasn’t put in place the same controls or the level of control that you need from a risk management perspective, there is obviously a problem. You run a serious risk if this company loses your data.

The attacks also demonstrated the need to update exploitable software. The vulnerabilities of ColdFusion have now been fixed.

Hackers used a flaw in Adobe’s ColdFusion software to violate the Washington State Courts Administrative Office.

Hackers may have accessed 160,000 social security numbers and up to one million driver’s license numbers, according to a court statement Thursday.

The court only confirmed that 94 Social Security numbers were definitely taken, however, and believes the violation occurred between last fall and February of this year, according to the Associated Press. He also confirmed that the breach occurred due to a flaw in Adobe’s web application platform, ColdFusion.

The court published details of the violation here. However, the site is currently “out of service for scheduled maintenance”.

Anyone who was incarcerated in a city or county jail in Washington state between September 2011 and December 2012 may have had their social security number exposed. The driver’s license numbers of those charged with driving offenses in the state’s superior court criminal system between 2011 and 2012 could also have been disclosed.

The court discovered the hack in February and has since patched its Adobe software.

While Adobe Reader and Flash, along with Java, remain the primary targets for exploit kits, hackers seem to target ColdFusion with greater frequency.

Adobe released its fourth security update in 2013 this week for critical vulnerabilities in ColdFusion. This was the third patch this year following reports of new ColdFusion vulnerabilities being exploited in the wild. Adobe only released four hotfixes for ColdFusion in 2012.