Security News > 2023 > July > CISA warns govt agencies to patch Adobe ColdFusion servers
The U.S. Cybersecurity and Infrastructure Security Agency has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two critical security flaws exploited in attacks, one of them as a zero-day.
According to the binding operational directive issued by CISA in November 2021, Federal Civilian Executive Branch Agencies are required to patch their systems against all bugs added to the Known Exploited Vulnerabilities catalog.
CISA issued a second order this week asking federal agencies to secure Citrix servers vulnerable against the CVE-2023-3519 remote code execution bug by August 9th. As Shadowserver Foundation security researchers revealed, at least 11,170 Citrix Netscaler appliances exposed online are likely vulnerable to attacks leveraging the flaw.
Adobe fixes patch bypass for exploited ColdFusion CVE-2023-29298 flaw.
CISA orders agencies to patch iPhone bugs abused in spyware attacks.
CISA orders govt agencies to patch MOVEit bug used for data theft.
News URL
Related news
- CISA warns of actively exploited Apache HugeGraph-Server bug (source)
- 'Patch yesterday': Zimbra mail servers under siege through RCE vuln (source)
- Ivanti Endpoint Manager Flaw Actively Targeted, CISA Warns Agencies to Patch (source)
- CISA: Hackers abuse F5 BIG-IP cookies to map internal servers (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-19 | CVE-2023-3519 | Code Injection vulnerability in Citrix products Unauthenticated remote code execution | 9.8 |
| 2023-07-12 | CVE-2023-29298 | Unspecified vulnerability in Adobe Coldfusion 2018/2021 Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. | 7.5 |