www.belgium.be Logo of the federal government

CRITICAL VULNERABILITY IN ADOBE COLDFUSION EXPLOITED IN THE WILD

Reference: 
Advisory #2023-036
Version: 
1.0
Affected software: 
Adobe ColdFusion versions 2018 (update 15 and earlier)
Adobe ColdFusion versions 2021 (update 5 and earlier)
Type: 
Arbitrary code execution (2) and memory leak (1)
CVE/CVSS: 

CVE-2023-26359
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-26360
8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
CVE-2023-26361
4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Sources

Risks

Adobe has released a security update for Adobe ColdFusion versions 2018 and 2021. This update resolves 3 vulnerabilities.  Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion. However, the exploit code will be available as a Metasploit module soon.

The Centre for Cybersecurity Belgium recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity. This report has instructions to help your organization.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident

Description

3 vulnerabilities (2 critical, 1 important) were found and patched in Adobe ColdFusion:

  • Deserialization of untrusted data leading to arbitrary code execution (CVE-2023-26359)
  • Improper access control leading to arbitrary code execution (CVE-2023-26360)
  • Improper limitation of a pathname to a restricted Directory leading to a memory leak ('Path Traversal') (CVE-2023-26361)

Affected products
ColdFusion is a web application development platform that employs the ColdFusion Markup Language (CFML) to create dynamic, data-driven web applications.

Recommended Actions

The Centre for Cybersecurity Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity.

Update the installation to one of the latest versions:

  • ColdFusion version 2018, update 16
  • ColdFusion version 2021, update 6

If you have already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident