Watchtowr Labs analyzes Adobe ColdFusion security bulletin APSB26-68, which patches 11 CVEs across ColdFusion 2023 and 2025. The post covers two main vulnerability classes: arbitrary file read/write via the RDS (Remote Development Services) FILEIO endpoint due to missing path canonicalization, and a file upload path traversal in the CKEditor file manager component. Both require non-default configurations (RDS enabled with auth disabled, or file uploads enabled), but once enabled are exploitable without authentication. The file write primitive trivially leads to RCE by writing a CFML webshell. The patch adds a new RdsFileSecurity.resolveCanonical() method blocking absolute paths, null bytes, and directory traversal sequences. Additional vulnerabilities involving XSLT, SSRF, XXE, and file write via CFML tags like <cffeed> and <cffile> are also noted but require application-specific conditions to exploit.
Nguồn: https://labs.watchtowr.com/its-37oc-and-all-we-can-think-about-is-coldfusion-adobe-coldfusion-security-bulletin-apsb26-68-cve-bonanza. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.