CISA has added a critical vulnerability affecting the 2021 and 2018 versions of Adobe ColdFusion to its catalog of exploited security bugs in the wild.
This critical arbitrary code execution flaw (CVE-2023-26360) is due to an inadequate access control weakness, and can be remotely abused by unauthenticated attackers in low complexity attacks that do not require user interaction.
Adobe addressed the application server vulnerability in ColdFusion 2018 Update 16 and ColdFusion 2021 Update 6 and said it was exploited in attacks as a zero-day.
“Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion,” the company said in a security advisory issued Tuesday.
While the flaw also affects installations of ColdFusion 2016 and ColdFusion 11, Adobe no longer provides security updates for unsupported versions.
Administrators are recommended to install security updates as soon as possible (within 72 hours, if possible) and apply the security configuration settings described in the ColdFusion 2018 and ColdFusion 2021 lockdown guides.
Security updates labeled urgent by CISA, researchers
CISA has given all US Federal Civilian Executive Branch (FCEB) agencies three weeks, until April 5, to protect their systems against potential attacks using CVE-2023-26360 exploits. .
Although the November 2021 binding operational directive (BOD 22-01) behind the CISA order only applies to federal agencies, all organizations are strongly urged to patch their systems to thwart any exploitation attempts they may have as target their networks.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
While Adobe also published a separate blog post announcing the ColdFusion 2021 and 2018 March 2023 security updates, it failed to mention that the patched security vulnerabilities were also exploited in the wild.
Charlie Arehart, one of two security researchers credited with discovering and reporting the CVE-2023-26360 bug, warned ColdFusion administrators in a comment on Adobe’s blog post about the real importance of security updates and the urgent need to patch them.
“This security fix is far more important than the writing of this blog post and even the upgrade technotes would suggest,” Arehart said.
“To be clear, I HAVE personally seen the ‘arbitrary code execution’ and ‘arbitrary file system read’ vulnerabilities being perpetrated on multiple servers, and it IS serious.”