Security News > 2023 > July > CISA warns govt agencies to patch Adobe ColdFusion servers

CISA warns govt agencies to patch Adobe ColdFusion servers
2023-07-23 14:11

The U.S. Cybersecurity and Infrastructure Security Agency has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two critical security flaws exploited in attacks, one of them as a zero-day.

According to the binding operational directive issued by CISA in November 2021, Federal Civilian Executive Branch Agencies are required to patch their systems against all bugs added to the Known Exploited Vulnerabilities catalog.

CISA issued a second order this week asking federal agencies to secure Citrix servers vulnerable against the CVE-2023-3519 remote code execution bug by August 9th. As Shadowserver Foundation security researchers revealed, at least 11,170 Citrix Netscaler appliances exposed online are likely vulnerable to attacks leveraging the flaw.

Adobe fixes patch bypass for exploited ColdFusion CVE-2023-29298 flaw.

CISA orders agencies to patch iPhone bugs abused in spyware attacks.

CISA orders govt agencies to patch MOVEit bug used for data theft.


News URL

https://www.bleepingcomputer.com/news/security/cisa-warns-govt-agencies-to-patch-adobe-coldfusion-servers/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-07-19 CVE-2023-3519 Code Injection vulnerability in Citrix products
Unauthenticated remote code execution
network
low complexity
citrix CWE-94
critical
9.8
2023-07-12 CVE-2023-29298 Unspecified vulnerability in Adobe Coldfusion 2018/2021
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass.
network
low complexity
adobe
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Adobe 166 68 2164 962 2112 5306