On March 15, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the security vulnerability affecting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Added.
The critical flaw in question is CVE-2023-26360 (CVSS score: 8.6), which an attacker can exploit to execute arbitrary code.
“Adobe ColdFusion contains an improper access control vulnerability that could allow remote code execution,” CISA said.
This vulnerability affects ColdFusion 2018 (versions prior to Update 15) and ColdFusion 2021 (versions prior to Update 5). This has been addressed in versions Update 16 and Update 6 released on March 14, 2023 respectively.
Note that CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations, but has reached its End of Life (EoL) and is no longer supported by the software company.
While the exact details of the nature of the attack are unknown, Adobe said in its advisory that it is aware that the flaw has been “exploited in the wild in very limited attacks.”
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
Federal Civilian Executive Branch (FCEB) agencies have until April 5, 2023 to apply the update to protect their networks from potential threats.
Charlie Arehart, a security researcher who is best known for discovering and reporting the vulnerability with Pete Freitag, describes the vulnerability as potentially leading to “arbitrary code execution” and “arbitrary file system reading.” described as a serious problem.
