A web-based application running on the remote Windows host is affected by multiple vulnerabilities.
The remote Windows host is running a version of ColdFusion that allows an unauthenticated, remote attacker to execute unauthorized methods. ColdFusion component methods that use the 'public' modifier can be invoked remotely using WebSockets. Only methods that use the 'remote' modifier should be capable of being invoked in this manner. An unauthenticated, remote attacker can exploit this to execute arbitrary code.