The vulnerability is a variation of a classic directory traversal vulnerability, also referred to as arbitrary file retrieval.
Executes a directory traversal attack against a ColdFusion server and tries to grab the password hash for the administrator user. It then uses the salt value (hidden in the web page) to create the SHA1 HMAC hash that the web server needs for authentication as admin. You can pass this value to the ColdFusion server as the admin without cracking the password hash.
You can either apply Adobe's patch or restrict access to the following directories and file from trusted IP addresses only:
/CFIDE/adminapi/ /CFIDE/administrator/ /CFIDE/componentutils/ /CFIDE/wizards/ /CFIDE/install.cfm