If your organization is running an Internet-facing version of ColdFusion, you may want to take a close look at your server. Volexity recently observed active exploitation of a newly patched vulnerability in Adobe ColdFusion, for which no public details or proof-of-concept code exists. In the attack detected by Volexity, a suspected Chinese APT group was able to compromise a vulnerable ColdFusion server by directly uploading a China Chopper webshell. The target server was missing a single update from Adobe that had been released just two weeks earlier. On September 11, 2018, Adobe issued security bulletin APSB18-33, which fixed a variety of issues to include an unauthenticated file upload vulnerability. Per the advisory, this vulnerability was assigned CVE-2018-15961 and affects ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release). This effectively includes all versions of ColdFusion released over the last four years. […]