ColdFusion Archives

Winsage

July 9, 2025

Microsoft Patch Tuesday, July 2025 Edition

Microsoft has released updates addressing 137 vulnerabilities across its Windows operating systems and supported software, with 14 classified as "critical." CVE-2025-49719 is a publicly disclosed information disclosure flaw affecting all SQL Server versions since 2016, posing a supply-chain risk due to its potential exploitation without authentication. SQL Server 2012 has reached its end of life, meaning no future security patches will be available. CVE-2025-47981 is a critical remote code execution vulnerability with a CVSS score of 9.8, affecting Windows clients and Windows Server. Microsoft also addressed four critical remote code execution vulnerabilities in its Office suite, including CVE-2025-49695 and CVE-2025-49696, which can be triggered through the Preview Pane. Other high-severity vulnerabilities include CVE-2025-49740, which could bypass Microsoft Defender SmartScreen, and CVE-2025-47178, allowing attackers to execute arbitrary SQL queries with minimal privileges. Adobe has also released security updates for various software, and users are advised to back up data before installing patches.

Winsage

July 9, 2025

Zero Day Initiative — The July 2025 Security Update Review

In July 2025, Adobe released 13 bulletins addressing 60 unique CVEs across various applications, including ColdFusion, After Effects, and Illustrator. ColdFusion received a Priority 1 patch for 13 CVEs, five of which are Critical. FrameMaker's patch fixed 15 CVEs, including 13 Critical vulnerabilities. Illustrator's update addressed 10 bugs, with the most severe enabling code execution. Other applications like InCopy and InDesign also had Critical vulnerabilities fixed. Microsoft released 130 new CVEs across its products, with 10 rated Critical. Notable vulnerabilities include CVE-2025-47981, a heap-based buffer overflow in Windows SPNEGO, and CVE-2025-49717 affecting Microsoft SQL Server. CVE-2025-49704 allows code injection in SharePoint, while CVE-2025-49695 highlights an attack vector in Microsoft Office's Preview Pane.

Winsage

December 24, 2024

Adobe warns of critical ColdFusion bug with PoC exploit code

Adobe released out-of-band security updates to address a critical vulnerability in ColdFusion, identified as CVE-2024-53961, which is a path traversal weakness affecting ColdFusion versions 2023 and 2021. This flaw could allow attackers to read arbitrary files on compromised servers. Adobe categorized the flaw with a "Priority 1" severity rating and urged administrators to apply the emergency security patches—ColdFusion 2021 Update 18 and ColdFusion 2023 Update 12—within 72 hours. The Cybersecurity and Infrastructure Security Agency (CISA) has highlighted the risks associated with path traversal vulnerabilities and previously mandated federal agencies to secure their Adobe ColdFusion servers against other critical vulnerabilities by August 10, 2023. CISA also noted that hackers had been exploiting another ColdFusion vulnerability targeting outdated government servers since June 2023.