Security News > 2023 > December > CISA: Adobe ColdFusion flaw leveraged to access government servers (CVE-2023-26360)
Unknown attackers have leveraged a critical vulnerability in the Adobe ColdFusion application development platform to access government servers, the Cybersecurity and Infrastructure Security Agency has shared.
Adobe disclosed and fixed the flaw in mid-March 2023, and said that it was "Aware that CVE-2023-26360 has been exploited in the wild in very limited attacks".
CVE-2023-26360 affected Adobe ColdFusion versions 2021, 2018, 2016 and 11, but Adobe provided patches only for the former two, as ColdFusion 2016 and 11 had previously reached the end of their lifecycle.
CISA has revealed that CVE-2023-26360 has been exploited by unknown attackers to target a Federal Civilian Executive Branch agency between June and July 2023.
In two separate attacks, the attackers managed to compromise at least two public-facing servers that were running outdated software versions - one was running Adobe ColdFusion v2021.
On June 26, 2023, attackers accessed another public-facing web server running Adobe ColdFusion, and again engaged in reconnaissance: they enumerated running processes, checked network connectivity, collected information about the web server and the OS, and checked for the presence of ColdFusion versions 2018 and 2016.
News URL
https://www.helpnetsecurity.com/2023/12/06/cve-2023-26360-government-servers/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-03-23 | CVE-2023-26360 | Improper Access Control vulnerability in Adobe Coldfusion 2018/2021 Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. | 8.6 |