On March 15 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security vulnerability affecting Adobe ColdFusion to its Known Exploited Vulnerabilities catalog, based on evidence of active exploitation.
This vulnerability, labeled CVE-2023-26360 (CVSS score: 8.6), is classified as a critical flaw, as it could enable threat actors to gain remote code execution. CISA described the vulnerability as an improper access control that allows for remote code execution.
CVE-2023-26360: Technical Overview
This vulnerability, CVE-2023-26360, is an improper access control issue that impacts ColdFusion 2021 version 5 and earlier, as well as ColdFusion 2018 version 15 and earlier. By exploiting this vulnerability, unauthenticated attackers can gain arbitrary code execution on a remote machine.
It is important to be aware that CVE-2023-26360 affects ColdFusion 2016 and ColdFusion 11 installations. However, they are no longer supported since they reached end-of-life (EoL). Although the details of the attacks are still unclear, Adobe has stated that they are aware of the vulnerability being used to carry out “limited attacks” in the wild.
Adobe released a patch for CVE-2023-26360 on March 14th, 2023 in response to the vulnerability.
Previous Adobe ColdFusion Flaws Used in Attacks
In 2021, Sophos reported that cybercriminals took advantage of an 11-year-old Adobe ColdFusion 9 vulnerability to gain remote control of servers. The goal of the attack was to deploy the Cring ransomware and infect other systems in the targeted network. The attack partially damaged the ColdFusion server but Sophos managed to extract evidence such as logs and files from the machine. Additionally, other machines on the network were completely destroyed by the ransomware.