Security News > 2023 > March > CISA Issues Urgent Warning: Adobe ColdFusion Vulnerability Exploited in the Wild

CISA Issues Urgent Warning: Adobe ColdFusion Vulnerability Exploited in the Wild
2023-03-16 04:47

The U.S. Cybersecurity and Infrastructure Security Agency on March 15 added a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities catalog, based on evidence of active exploitation.

The critical flaw in question is CVE-2023-26360, which could be exploited by a threat actor to achieve arbitrary code execution.

"Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution," CISA said.

It's worth noting that CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations, but are no longer supported by the software company as they have reached end-of-life.

While the exact details surrounding the nature of the attacks are unknown, Adobe said in an advisory that it's aware of the flaw being "Exploited in the wild in very limited attacks."

Charlie Arehart, a security researcher credited with discovering and reporting the flaw alongside Pete Freitag, described it as a "Grave" issue that could result in "Arbitrary code execution" and "Arbitrary file system read.".


News URL

https://thehackernews.com/2023/03/cisa-issues-urgent-warning-adobe.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-03-23 CVE-2023-26360 Unspecified vulnerability in Adobe Coldfusion 2018/2021
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user.
network
low complexity
adobe
8.6

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Adobe 166 68 2143 934 2114 5259