Adobe seems to have trouble catching a break sometimes,
Today they released an emergency patch for a vulnerability in the Cold Fusion application that Adobe bought in 2005.
The bug allows an attacker to bypass the file upload restrictions, allowing an attacker to upload a malicious executable and then get the target system to execute it, allowing the attacker total control over the infected system.
All Cold Fusion versions for all platforms are affected .
While Adobe quickly released a patch, as we saw with the Equifax breach, releasing a patch is slightly different than getting users to install it.
Many times users do not even know what the base platform that an application uses – the so called bill of materials.
Sometimes systems were developed years ago. The people who developed them are long gone and the people left don’t know much about them.
The end result, like at Equifax, doesn’t always turn out well.
Whether your systems and applications were internally developed, purchased from a third party or open sourced, if they are based on Cold Fusion they are vulnerable.
If history is any indicator, there will be vulnerable systems out there for years.
If you have Cold Fusion in your environment, now would be a good time to install the patch.
Information for this post came from Bleeping Computer.