Vulnerabilities ›

CVE-2026-27305

High

CWE-22 — Weakness Type

                    Published: Apr 14, 2026                      ·  Modified: Apr 21, 2026                      ·  Source: NVD                

CVSS v3

8.6

🔗 NVD Official

📄 Description (English)

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue does not require user interaction.

🤖 AI Executive Summary

ColdFusion versions 2023.18, 2025.6 and earlier contain a critical path traversal vulnerability (CWE-22) allowing unauthenticated attackers to read arbitrary files from the server filesystem. With a CVSS score of 8.6 and no patch currently available, this poses an immediate risk to organizations running affected versions. The vulnerability requires no user interaction and could expose sensitive configuration files, credentials, and business data.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 24, 2026 02:48

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using ColdFusion for web applications face significant risk, particularly in banking sector (SAMA-regulated institutions), government agencies (NCA oversight), healthcare providers, and telecommunications companies. Financial institutions using ColdFusion for customer-facing portals or backend services could have customer data, account information, and transaction records exposed. Government entities may expose classified documents and administrative credentials. Energy sector organizations (ARAMCO and subsidiaries) could have operational technology documentation compromised. The lack of available patches creates an extended vulnerability window requiring immediate compensating controls.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare and Medical Services Energy and Utilities Telecommunications E-commerce and Retail Insurance Education

🎯 MITRE ATT&CK Techniques

T1083 - File and Directory Discovery T1087 - Account Discovery T1005 - Data from Local System T1552 - Unsecured Credentials T1526 - Exposure of Sensitive Information

⚖️ Saudi Risk Score (AI)

8.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Inventory all ColdFusion installations across your organization and identify versions 2023.18, 2025.6 and earlier

2. Isolate affected ColdFusion servers from direct internet access using WAF or network segmentation

3. Implement strict input validation and path canonicalization on all file access operations

4. Monitor ColdFusion logs for suspicious file access patterns and path traversal attempts



COMPENSATING CONTROLS (until patch available):

5. Deploy Web Application Firewall (WAF) rules to block path traversal patterns (../, ..\, %2e%2e, etc.)

6. Restrict ColdFusion process permissions to minimum required filesystem access

7. Implement file integrity monitoring on sensitive directories

8. Enable detailed logging and alerting for file system access attempts

9. Apply principle of least privilege to ColdFusion service accounts



DETECTION RULES:

10. Monitor for HTTP requests containing: ../, ..\, %2e%2e, %252e, encoded traversal sequences

11. Alert on ColdFusion process attempting to access files outside application directories

12. Track failed file access attempts and permission denied errors

13. Monitor for unusual file read operations on /etc, /var, Windows system directories



LONG-TERM:

14. Subscribe to Adobe security bulletins for patch availability

15. Plan migration to patched ColdFusion versions as soon as available

16. Consider alternative application platforms if patching timeline is unacceptable

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. قم بحصر جميع تثبيتات ColdFusion عبر مؤسستك وحدد الإصدارات 2023.18 و2025.6 والإصدارات الأقدم

2. عزل خوادم ColdFusion المتأثرة عن الوصول المباشر للإنترنت باستخدام جدار حماية تطبيقات الويب أو تقسيم الشبكة

3. تطبيق التحقق الصارم من المدخلات وتطبيع المسار على جميع عمليات الوصول إلى الملفات

4. مراقبة سجلات ColdFusion للأنماط المريبة للوصول إلى الملفات ومحاولات اجتياز المسار

الضوابط البديلة (حتى توفر التصحيح):

5. نشر قواعد جدار حماية تطبيقات الويب لحجب أنماط اجتياز المسار (../, ..\, %2e%2e، إلخ)

6. تقييد صلاحيات عملية ColdFusion للوصول الأدنى المطلوب لنظام الملفات

7. تطبيق مراقبة سلامة الملفات على الدلائل الحساسة

8. تفعيل السجلات التفصيلية والتنبيهات لمحاولات الوصول إلى نظام الملفات

9. تطبيق مبدأ الامتياز الأدنى على حسابات خدمة ColdFusion

قواعد الكشف:

10. مراقبة طلبات HTTP التي تحتوي على: ../, ..\, %2e%2e, %252e، تسلسلات اجتياز مشفرة

11. تنبيه عند محاولة عملية ColdFusion الوصول إلى ملفات خارج دلائل التطبيق

12. تتبع محاولات الوصول الفاشلة إلى الملفات وأخطاء الأذونات المرفوضة

13. مراقبة عمليات قراءة الملفات غير العادية على /etc و/var ودلائل نظام Windows

المدى الطويل:

14. الاشتراك في نشرات أمان Adobe لتوفر التصحيحات

15. التخطيط للترقية إلى إصدارات ColdFusion المصححة بمجرد توفرها

16. النظر في منصات تطبيقات بديلة إذا كان الجدول الزمني للتصحيح غير مقبول

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.14.2.1 - Information security requirements for supplier relationships ECC 2024 A.12.6.1 - Management of technical vulnerabilities ECC 2024 A.12.3.1 - Segregation of networks ECC 2024 A.12.4.1 - Event logging and monitoring

🔵 SAMA CSF

SAMA CSF ID.RA-1 - Asset Management and Vulnerability Management SAMA CSF PR.AC-1 - Access Control and Authentication SAMA CSF DE.CM-1 - Detection and Analysis SAMA CSF RS.MI-1 - Incident Response and Recovery

🟡 ISO 27001:2022

ISO 27001:2022 A.12.2.1 - Monitoring and measurement of information security ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.14.2.1 - Supplier security requirements ISO 27001:2022 A.8.1.1 - User endpoint devices

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates PCI DSS 11.2 - Vulnerability scanning and assessment PCI DSS 10.2 - Logging and monitoring of access

🔗 References & Sources 1

🔗

https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html

psirt@adobe.com

Vendor Advisory

📦 Affected Products / CPE 26 entries

adobe:coldfusion:2023

adobe:coldfusion:2025

📊 CVSS Score

8.6

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityH — High

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score8.6

CWECWE-22

EPSS0.13%

Exploit No

Patch ✗ No

Published 2026-04-14

Source Feed nvd

🇸🇦 Saudi Risk Score

8.8

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-22

🏢 Vendor Advisories

🔗 https://helpx.adobe.com/security/products/coldfusion...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-27305

💬 Comments

Introduce Yourself

Sign In Required