Security News > 2023 > April > Prevent and detect Adobe ColdFusion exploitation (CVE-2023-26360, CVE-2023-26359)
When Adobe released security updates for its ColdFusion application development platform last month, it noted that one of the vulnerabilities had been exploited in the wild "In very limited attacks."
CVE-2023-26360 is an improper access control vulnerability that could result in arbitrary code execution in the context of the current user, and was reported to Adobe by security consultants Charlie Arehart and Pete Freitag.
Soon after Adobe released the security bulletin and the security updates, the US CISA added CVE-2023-26360 to its Known Exploited Vulnerabilities catalog, and set up a deadline for federal civilian executive branch agencies to remediate it by April 5, 2023.
The security updates fixe CVE-2023-26360 and two other flaws - CVE-2023-26359 and CVE-2023-26361 - that could lead to arbitrary code execution, arbitrary file system read, and memory leak.
"In my own opinion this security fix is far more important than the wording of suggests and even that the update technotes would suggest. To be clear, I HAVE personally seen both the 'arbitrary code execution' and 'arbitrary file system read' vulnerabilities having been perpetrated on multiple servers, and it IS grave," he noted.
With all this in mind, if you're using Adobe ColdFusion to develop and deploy web or mobile apps or generate remote services and you haven't updated your servers to ColdFusion 2018 Update 16 or ColdFusion 2021 Update 6, now is high time time to do it.
News URL
https://www.helpnetsecurity.com/2023/04/04/exploitation-cve-2023-26360-cve-2023-26359/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-03-23 | CVE-2023-26361 | Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read. | 4.9 |
2023-03-23 | CVE-2023-26360 | Improper Access Control vulnerability in Adobe Coldfusion 2018/2021 Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. | 8.6 |
2023-03-23 | CVE-2023-26359 | Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. | 9.8 |