Security News > 2023 > March > CISA warns of Adobe ColdFusion bug exploited as a zero-day
CISA has added a critical vulnerability impacting Adobe ColdFusion versions 2021 and 2018 to its catalog of security bugs exploited in the wild.
Adobe addressed the application server vulnerability in ColdFusion 2018 Update 16 and ColdFusion 2021 Update 6 and said it was exploited in attacks as a zero-day.
"Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion," the company said in a security advisory issued this Tuesday.
While the flaw also affects ColdFusion 2016 and ColdFusion 11 installations, Adobe no longer provides security updates for versions that are out of support.
Administrators are advised to install the security updates as soon as possible and apply security configuration settings outlined in the ColdFusion 2018 and ColdFusion 2021 lockdown guides.
While Adobe also published a separate blog post announcing the ColdFusion 2021 and 2018 March 2023 Security Updates, it failed to mention that the patched security vulnerabilities were also exploited in the wild.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-23 | CVE-2023-26360 | Unspecified vulnerability in Adobe Coldfusion 2018/2021 Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. | 8.6 |