Adobe ColdFusion vulnerability exploited in the wild

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Adobe ColdFusion vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by September 11, 2023 to protect their networks against active threats.

Adobe ColdFusion is an application server and a platform for building and deploying web and mobile applications.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE you need to patch is CVE-2023-26359, which has a CVSS score of 9.8 out of 10.

According to Adobe, Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

Deserialization of untrusted data happens when an application uses data input to create an object. It is often convenient to serialize objects for communication or to save them for later use. However, untrusted data can't be relied on to be well-formed. When there are not sufficient protections in place this can be abused to trigger self-execution during the deserialization process. Exploitation can lead to arbitrary code execution.

To patch the vulnerability Adobe has released security updates for ColdFusion versions 2021 and 2018. To successfully remediate against this vulnerability the latest updates for ColdFusion should be applied, specifically:

• ColdFusion 2021 Update 6 or later
• ColdFusion 2018 Update 16 or later

Another critical vulnerability tackled in this update is CVE-2023-26360–an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. It affects Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier).

In April Adobe noted:

> "Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion."

Therefore this vulnerability has previously been added to the Known Exploited Vulnerabilities Catalog. The remediation deadline for federal civilian executive branch agencies was April 5, 2023. With a second critical, and known to be exploited vulnerability, this really is a wake up call to install that update if you haven't already.

We don't just report on vulnerabilities–we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.