There have been a couple of posts describing the vulnerability using the websocket functionality in ColdFusion 10. The Adobe Product Security Incident Response Team (PSIRT) is aware of this issue and is actively engaged with the ColdFusion Product Team to release a fix. Adobe PSIRT is not aware of this issue being exploited in the wild.
There will be a new update released soon that directly prevents the ability to invoke non-remote methods on the CFC using Websockets.
No credit card required.
Washington, D.C. | Apr 23, 2020