Adobe released updates to address a security vulnerability in ColdFusion where an attacker could exploit this vulnerability to take control of an affected system.
This vulnerability was detected in exploits out in the industry.
The vulnerability, which Adobe labeled as critical, is a file upload restriction bypass that could lead to arbitrary code execution. It has a case number of CVE-2019-7816.
The vulnerabilities are in ColdFusion 11 in update 17 and earlier versions, ColdFusion 2016 in update 9 and earlier versions, and ColdFusion 2018 in Update 2 and earlier versions.
This attack requires the ability to upload executable code to a web-accessible directory, and then execute that code via an HTTP request. Restricting requests to directories where uploaded files are stored will mitigate this attack.