Security News > 2023 > April > Prevent and detect Adobe ColdFusion exploitation (CVE-2023-26360, CVE-2023-26359)

When Adobe released security updates for its ColdFusion application development platform last month, it noted that one of the vulnerabilities had been exploited in the wild "In very limited attacks."

CVE-2023-26360 is an improper access control vulnerability that could result in arbitrary code execution in the context of the current user, and was reported to Adobe by security consultants Charlie Arehart and Pete Freitag.

Soon after Adobe released the security bulletin and the security updates, the US CISA added CVE-2023-26360 to its Known Exploited Vulnerabilities catalog, and set up a deadline for federal civilian executive branch agencies to remediate it by April 5, 2023.

The security updates fixe CVE-2023-26360 and two other flaws - CVE-2023-26359 and CVE-2023-26361 - that could lead to arbitrary code execution, arbitrary file system read, and memory leak.

"In my own opinion this security fix is far more important than the wording of suggests and even that the update technotes would suggest. To be clear, I HAVE personally seen both the 'arbitrary code execution' and 'arbitrary file system read' vulnerabilities having been perpetrated on multiple servers, and it IS grave," he noted.

With all this in mind, if you're using Adobe ColdFusion to develop and deploy web or mobile apps or generate remote services and you haven't updated your servers to ColdFusion 2018 Update 16 or ColdFusion 2021 Update 6, now is high time time to do it.

News URL

https://www.helpnetsecurity.com/2023/04/04/exploitation-cve-2023-26360-cve-2023-26359/