Security News > 2023 > March > CISA Issues Urgent Warning: Adobe ColdFusion Vulnerability Exploited in the Wild
The U.S. Cybersecurity and Infrastructure Security Agency on March 15 added a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities catalog, based on evidence of active exploitation.
The critical flaw in question is CVE-2023-26360, which could be exploited by a threat actor to achieve arbitrary code execution.
"Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution," CISA said.
It's worth noting that CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations, but are no longer supported by the software company as they have reached end-of-life.
While the exact details surrounding the nature of the attacks are unknown, Adobe said in an advisory that it's aware of the flaw being "Exploited in the wild in very limited attacks."
Charlie Arehart, a security researcher credited with discovering and reporting the flaw alongside Pete Freitag, described it as a "Grave" issue that could result in "Arbitrary code execution" and "Arbitrary file system read.".
News URL
https://thehackernews.com/2023/03/cisa-issues-urgent-warning-adobe.html
Related news
- CISA confirms that SonicWall vulnerability is getting exploited (CVE-2024-40766) (source)
- CISA Flags Critical Ivanti vTM Vulnerability Amid Active Exploitation Concerns (source)
- CISA Warns of Active Exploitation in SolarWinds Help Desk Software Vulnerability (source)
- CISA Adds ScienceLogic SL1 Vulnerability to Exploited Catalog After Active Zero-Day Attack (source)
- CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094) (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-03-23 | CVE-2023-26360 | Unspecified vulnerability in Adobe Coldfusion 2018/2021 Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. | 8.6 |