The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive requiring federal agencies to patch a maximum-severity vulnerability in Adobe ColdFusion, a commercial web application development platform. The flaw is already being exploited in active attacks.
The directive, which carries a patch deadline of Friday, underscores the severity of the vulnerability. CISA has not yet assigned a CVSS score, but the label 'maximum severity' suggests it likely falls within the 9.0-10.0 critical range. The number of affected systems across federal networks remains unclear, though the agency's response indicates widespread concern.
Technical details remain limited at this stage. The vulnerability affects multiple versions of Adobe ColdFusion, though specific version numbers have not been disclosed. Indicators of compromise are scarce, as CISA has not yet released detailed attack vector information beyond confirming active exploitation.
For federal agencies, the path is clear: patch by Friday or face non-compliance. For private sector organizations running ColdFusion, the same urgency applies, though CISA's order technically applies only to civilian government networks. Adobe has not yet released an official security bulletin detailing the fix or workarounds.
Attribution for the active exploitation remains unknown. However, the timing—amid heightened geopolitical tensions—raises the threat level for any organization still running older, unpatched versions of ColdFusion.