Adobe ColdFusion Vulnerability Exploited in the Wild

Adobe ColdFusion Vulnerability Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 15 added a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The critical flaw in question is CVE-2023-26360 (CVSS score: 8.6), which could be exploited by a threat actor to achieve arbitrary code execution.

“Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution,” CISA said.

The vulnerability impacts ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions). It has been addressed in versions Update 16 and Update 6, respectively, released on March 14, 2023.

While the exact details surrounding the nature of the attacks are unknown, Adobe said in an advisory that it’s aware of the flaw being “exploited in the wild in very limited attacks.”

Charlie Arehart, a security researcher credited with discovering and reporting the flaw alongside Pete Freitag, described it as a “grave” issue that could result in “arbitrary code execution” and “arbitrary file system read.”