The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include two critical security flaws affecting Adobe ColdFusion and the Windows Kernel. These vulnerabilities, tracked as CVE-2024-20767 and CVE-2024-35250, are actively being exploited in the wild, posing significant risks to organizations worldwide.

Critical Vulnerabilities Added to CISA's KEV Catalog

CISA's KEV catalog serves as a prioritized list of vulnerabilities that federal agencies must patch within strict deadlines. The latest additions highlight:

  • CVE-2024-20767 (Adobe ColdFusion): A deserialization vulnerability that could allow remote code execution (RCE) on affected systems
  • CVE-2024-35250 (Windows Kernel): A privilege escalation flaw in the Windows Common Log File System (CLFS) driver

Adobe ColdFusion Vulnerability (CVE-2024-20767)

This critical vulnerability affects:

  • ColdFusion 2023 (versions prior to Update 6)
  • ColdFusion 2021 (versions prior to Update 12)

Impact: Successful exploitation could allow attackers to execute arbitrary code on vulnerable systems without authentication. Adobe has rated this vulnerability as Critical with a CVSS score of 9.8.

Mitigation: Organizations should immediately apply the latest ColdFusion updates:

  • ColdFusion 2023 Update 6
  • ColdFusion 2021 Update 12

Windows Kernel Vulnerability (CVE-2024-35250)

This elevation of privilege vulnerability affects:

  • Windows 10 (versions 1809 and later)
  • Windows 11
  • Windows Server 2019/2022

Impact: The flaw exists in the Windows Common Log File System (CLFS) driver and could allow attackers to gain SYSTEM privileges. Microsoft has rated this as Important with a CVSS score of 7.8.

Mitigation: Microsoft released patches for this vulnerability in their June 2024 Patch Tuesday updates. Organizations should prioritize applying these security updates.

Why These Vulnerabilities Matter

Both vulnerabilities meet CISA's criteria for inclusion in the KEV catalog:

  1. There is clear evidence of active exploitation
  2. The vulnerabilities have publicly available exploit code
  3. They affect widely used enterprise software
  4. Successful exploitation could lead to complete system compromise

CISA mandates that all federal agencies patch these vulnerabilities by July 15, 2024. Private sector organizations should follow the same timeline:

  • Immediately: Inventory systems running affected software
  • Within 24 hours: Apply available patches
  • Ongoing: Monitor for signs of exploitation
  • Future: Implement vulnerability management programs

Broader Cybersecurity Implications

These additions to the KEV catalog highlight several concerning trends:

  • Attackers are increasingly targeting enterprise software
  • Privilege escalation remains a favored attack vector
  • The window between vulnerability disclosure and exploitation continues to shrink

How to Check for Vulnerable Systems

Organizations can use these methods to identify at-risk systems:

# Windows check for CLFS driver version
Get-WmiObject Win32_PnPSignedDriver | Where-Object {$_.DeviceName -like '*CLFS*'} | Select-Object DeviceName, DriverVersion

For ColdFusion, administrators should:

  1. Check the ColdFusion administrator dashboard
  2. Verify installed updates
  3. Review patch documentation from Adobe

Long-Term Security Recommendations

Beyond immediate patching, organizations should:

  • Implement application allowlisting
  • Segment networks to limit lateral movement
  • Deploy endpoint detection and response (EDR) solutions
  • Conduct regular vulnerability assessments

Conclusion

With these vulnerabilities now actively exploited, organizations must treat them with the highest priority. The inclusion in CISA's KEV catalog serves as both a warning and a call to action for all entities using these widely deployed technologies.