CRITICAL VULNERABILITY IN ADOBE COLDFUSION EXPLOITED IN THE WILD
CVE-2023-26359
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-26360
8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
CVE-2023-26361
4.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Sources
- https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html
- https://attackerkb.com/topics/1iRdvtUgtW/cve-2023-26359/rapid7-analysis
Risks
Adobe has released a security update for Adobe ColdFusion versions 2018 and 2021. This update resolves 3 vulnerabilities. Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion. However, the exploit code will be available as a Metasploit module soon.
The Centre for Cybersecurity Belgium recommends system administrators patch vulnerable systems as soon as possible and analyze system and network logs for any suspicious activity. This report has instructions to help your organization.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
Description
3 vulnerabilities (2 critical, 1 important) were found and patched in Adobe ColdFusion:
- Deserialization of untrusted data leading to arbitrary code execution (CVE-2023-26359)
- Improper access control leading to arbitrary code execution (CVE-2023-26360)
- Improper limitation of a pathname to a restricted Directory leading to a memory leak ('Path Traversal') (CVE-2023-26361)
Affected products
ColdFusion is a web application development platform that employs the ColdFusion Markup Language (CFML) to create dynamic, data-driven web applications.
Recommended Actions
The Centre for Cybersecurity Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity.
Update the installation to one of the latest versions:
- ColdFusion version 2018, update 16
- ColdFusion version 2021, update 6
If you have already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident