Headline
Adobe ColdFusion vulnerability exploited in the wild
Categories: Exploits and vulnerabilities Categories: News Tags: Adobe
Tags: ColdFusion
Tags: CVE-2023-26359
Tags: CVE-2023-26360
Tags: critical
Tags: known exploited
Tags: deserialization
A second Adobe ColdFusion vulnerability that was patched in April has been added to CISA’s known exploited vulnerabilities catalog.
(Read more…)
The post Adobe ColdFusion vulnerability exploited in the wild appeared first on Malwarebytes Labs.
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Adobe ColdFusion vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by September 11, 2023 to protect their networks against active threats.
Adobe ColdFusion is an application server and a platform for building and deploying web and mobile applications.
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE you need to patch is CVE-2023-26359, which has a CVSS score of 9.8 out of 10.
According to Adobe, Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.
Deserialization of untrusted data happens when an application uses data input to create an object. It is often convenient to serialize objects for communication or to save them for later use. However, untrusted data can’t be relied on to be well-formed. When there are not sufficient protections in place this can be abused to trigger self-execution during the deserialization process. Exploitation can lead to arbitrary code execution.
To patch the vulnerability Adobe has released security updates for ColdFusion versions 2021 and 2018. To successfully remediate against this vulnerability the latest updates for ColdFusion should be applied, specifically:
- ColdFusion 2021 Update 6 or later
- ColdFusion 2018 Update 16 or later
Another critical vulnerability tackled in this update is CVE-2023-26360—an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. It affects Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier).
In April Adobe noted:
“Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion.”
Therefore this vulnerability has previously been added to the Known Exploited Vulnerabilities Catalog. The remediation deadline for federal civilian executive branch agencies was April 5, 2023. With a second critical, and known to be exploited vulnerability, this really is a wake up call to install that update if you haven’t already.
We don’t just report on vulnerabilities—we identify them, and prioritize action.
Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.
Related news
Adobe ColdFusion versions 2018,15 and below and versions 2021,5 and below suffer from an arbitrary file read vulnerability.
Everyone's New Year's Resolution should be to stop using passwords altogether.
By Deeba Ahmed CISA Warns of Critical Adobe ColdFusion Vulnerability Actively Exploited by Threat Actors. This is a post from HackRead.com Read the original post: Adobe ColdFusion Flaw Used by Hackers to Access US Govt Servers
CISA has published an advisory about a vulnerability in Adobe Coldfusion used in two attacks against federal agencies.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a high-severity Adobe ColdFusion vulnerability by unidentified threat actors to gain initial access to government servers. "The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution,"
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, cataloged as CVE-2023-26359 (CVSS score: 9.8), relates to a deserialization flaw present in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerability, cataloged as CVE-2023-26359 (CVSS score: 9.8), relates to a deserialization flaw present in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (
This Metasploit module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to gain remote code execution.
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read. Exploitation of this issue does not require user interaction, but does require administrator privileges.
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read. Exploitation of this issue does not require user interaction, but does require administrator privileges.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 15 added a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The critical flaw in question is CVE-2023-26360 (CVSS score: 8.6), which could be exploited by a threat actor to achieve arbitrary code execution. "Adobe ColdFusion
Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: March Tags: 2023 Tags: Microsoft Tags: Adobe Tags: Fortinet Tags: Android Tags: SAP Tags: CVE-2023-23397 Tags: CVE-2023-24880 Tags: CVE-2023-26360 Tags: CVE-2022-41328 This Patch Tuesday, Microsoft has released fixes for two actively exploited zero-days and Adobe has fixed one. (Read more...) The post Update now! Microsoft fixes two zero-day bugs appeared first on Malwarebytes Labs.