Adobe ColdFusion Vulnerability Exploited in the Wild

Based on evidence of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw affecting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) list on March 15.

CVE-2023-26360 (CVSS rating: 8.6) is the primary weakness in question, which could potentially allow a threat actor to execute arbitrary code.
According to CISA, Adobe ColdFusion has an inappropriate access control vulnerability that permits remote code execution.

The issue affects ColdFusion 2021 and ColdFusion 2018 (Update 15 and previous versions) (Update 5 and earlier versions). Additionally, versions Update 16 and Update 6, both issued on March 14, 2023, both address it.

It’s important to note that CVE-2023-26360 also affects installations of ColdFusion 2016 and ColdFusion 11, both of which the software provider no longer supports as they have reached end-of-life (EoL).

In an advisory, Adobe acknowledged the existence of the vulnerability and stated that it has been “exploited in the wild in extremely limited attacks.” However, the specifics of the attacks are currently unclear.

By April 5, 2023, Federal Civilian Executive Branch (FCEB) organizations must implement the modifications to protect their networks from potential threats.

Security researchers Pete Freitag and Charlie Arehart, who discovered and disclosed the vulnerability, have characterized it as a “severe” issue that could potentially result in “arbitrary code execution” and “arbitrary file system read.”