The ColdFusion vulnerability (CVE-2023-26360) appears as an improper access control issue, and it has the potential to execute arbitrary code upon successful exploitation.
Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers is a Cybersecurity Advisory (CSA) that CISA released today to share known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). The ColdFusion vulnerability (CVE-2023-26360) appears as an improper access control issue, and it has the potential to execute arbitrary code upon successful exploitation.
To strengthen their cybersecurity posture and guard against similar exploitation based on threat actor activity, CISA advises network defenders and critical infrastructure organizations to review the CSA. To lessen the impact of threat actor activity, CISA also exhorts software manufacturers to integrate secure-by-design and -default principles into their software development processes.
Vulnerability in Adobe ColdFusion exploited in the wild
Based on proof of ongoing exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has updated its list of known exploited vulnerabilities to include a critical Adobe ColdFusion vulnerability. Accordingly, to safeguard their networks from current threats, agencies under the Federal Civilian Executive Branch (FCEB) must fix this vulnerability by September 11, 2023.
A platform for creating and distributing web and mobile applications, Adobe ColdFusion serves as an application server.
Publicly disclosed vulnerabilities in computer security are listed in the Common Vulnerabilities and Exposures (CVE) database. CVE-2023-26359, with a CVSS score of 9.8 out of 10, is the CVE that needs to be patched.
According to Adobe, a Deserialization of Untrusted Data vulnerability affects Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). This vulnerability could lead to arbitrary code execution in the current user’s context. User interaction is not necessary to exploit this vulnerability.
When an application creates an object using data input, it deserializes untrusted data. Serializing objects for communication or storing them for later use is frequently convenient. Untrusted data, however, cannot be counted on to be accurate. This can be used to force self-execution during the deserialization process if there are insufficient safeguards in place. Arbitrary code execution may result from exploitation.
To fix the weakness For ColdFusion versions 2021 and 2018, Adobe has published security updates. Applying the most recent ColdFusion updates is necessary to address this vulnerability effectively.
This update also addresses CVE-2023-26360, an Improper Access Control vulnerability that could lead to arbitrary code execution within the current user’s context. Users don’t need to interact to exploit this problem. Versions of Adobe ColdFusion 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected.
Adobe stated in April
“Adobe is aware that very few attacks targeting Adobe ColdFusion have used CVE-2023-26360 in the wild.”
As a result, the Known Exploited Vulnerabilities Catalogue already contains this vulnerability. April 5, 2023, was the deadline for remediation for federal civilian executive branch agencies. This is a serious reminder to install the update if you haven’t already, as there is a second critical vulnerability that is known to be exploited.