● Critical · CVSS 9.8

How to Fix CVE-2024-41874: ColdFusion (Bundle Sibling)

Q: Is CVE-2024-41874 actively exploited?

Yes. CVE-2024-41874 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.

Q: What is the CVSS severity of CVE-2024-41874?

Critical. See the advisory for the full CVSS vector.

Q: Where can I read the official advisory?

See https://helpx.adobe.com/security/products/coldfusion/apsb24-71.html

Q: Does the patch require a reboot?

It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.

⚡ At a glance


Severity	CVSS 9.8, Critical
Actively exploited?	No
Affected	Adobe ColdFusion (<= 2021.15)
Fixed in	Same patched build as CVE-2023-38204
Type (CWE)	CWE-502: Deserialization of Untrusted Data

CVE-2024-41874 is a sibling vulnerability in the same Adobe ColdFusion advisory bundle as CVE-2023-38204. The same patched build closes every CVE in the bundle, so the remediation procedure for CVE-2024-41874 is the same as for the primary write-up.

What's different about CVE-2024-41874?

ColdFusion versions 2023.9, 2021.15 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability by providing crafted input to the application, which when deserialized, leads to execution of malicious code. Exploitation of this issue does not require user interaction.

The technical distinction is the specific code path or input vector listed in the description above. Impact is consistent with the bundle: remote code execution on the affected system. The patched build addresses every code path in the advisory in one update.