CVE-2024-20767 HIGH

CVE-2024-20767: ColdFusion | Improper Access Control (CWE-284)

Vendor Adobe

Product ColdFusion

Weakness CWE-284

KEV Status Known Exploited

Published March 18, 2024

Last update October 21, 2025

View on NVD All CVEs

CVSS base score

7.4/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

March 18, 2024 CVE published

October 21, 2025 Record updated

External resources

04References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-20767 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html CISA KEV Reference https://helpx.adobe.com/security/products/coldfusion/apsb24-14… CISA KEV Reference https://nvd.nist.gov/vuln/detail/CVE-2024-20767

Related vulnerabilities

CVE-2024-20767: ColdFusion | Improper Access Control (CWE-284)

01Description

02CISA Required Action

03Disclosure timeline

04References

05Related CVE