The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical security vulnerability affecting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, indicating evidence of active exploitation. The vulnerability, identified as CVE-2023-26360 (CVSS score: 8.6), enables a threat actor to achieve arbitrary code execution due to an improper access control issue in Adobe ColdFusion. The affected versions include ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier), with fixes released on March 14, 2023, as Update 16 and Update 6, respectively.
Although the exact nature of the attacks remains undisclosed, Adobe acknowledged the flaw’s exploitation in limited attacks in the wild. Federal Civilian Executive Branch (FCEB) agencies have been instructed to apply the updates by April 5, 2022, to protect their networks from potential threats. Security researcher Charlie Arehart, who discovered and reported the flaw alongside Pete Freitag, characterized it as a severe issue that could result in arbitrary code execution and arbitrary file system read.
CISA urges administrators to install the security updates promptly and apply security configuration settings as outlined in the ColdFusion 2018 and ColdFusion 2021 lockdown guides. All organizations, not just federal agencies, are strongly encouraged to patch their systems to mitigate exploitation risks. CISA has given FCEB agencies until April 5 to secure their systems against potential attacks using CVE-2023-26360 exploits. Arehart, in a comment on Adobe’s blog post, emphasized the urgency of addressing this security fix, as he had personally observed instances of the vulnerabilities being exploited on multiple servers.