KEVIntel

Vulnerability detail

Enriched intelligence for a single CVE

Back to KEVs

7.4

CVSS
High

CVE-2024-20767

PUBLISHED

ColdFusion | Improper Access Control (CWE-284)

Exploited in the wild PoC available Remote No user interaction

Vendor: Adobe
Product: ColdFusion
Published: Mar 18, 2024
EPSS: —

Description

ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.

cisa nuclei_scanner nessus_scanner

CVSS scores

CVSS v3.1 7.4 High

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitation status

Exploited in the wild

Recorded 2024-12-16 00:00:00 UTC · Source

Proof of concept available

Recorded 2024-03-26 19:17:14 UTC · Source

SSVC decision points

Exploitation: active
Automatable: Yes
Technical impact: partial

References

https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
CISA	Dec 16, 2024

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-20767.yaml	Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

Chocapikk/CVE-2024-20767

github · Created 2024-03-26 19:17:14 UTC · 8 stars

Exploit Toolkit for Adobe ColdFusion CVE-2024-20767 Vulnerability

yoryio/CVE-2024-20767

github · Created 2024-03-26 06:51:08 UTC · 34 stars

Exploit for CVE-2024-20767 - Adobe ColdFusion

Timeline

CVE ID Reserved

December 04, 2023
CVE Published to Public

March 18, 2024
Proof of Concept Exploit Available

March 26, 2024
Added to KEVIntel

December 16, 2024
Detected by Nuclei

April 25, 2025