CISA has added a critical vulnerability affecting Adobe ColdFusion versions 2021 and 2018 to its catalog of security bugs exploited in the wild.
A critical arbitrary code execution flaw (CVE-2023-26360) is caused by an improper Access Control weakness and can be remotely exploited by unauthenticated attackers in low-sophistication attacks that do not require user interaction.
Adobe addressed the application server vulnerability in ColdFusion 2018 Update 16 and ColdFusion 2021 Update 6 and said it was used in attacks as a zero-day.
“Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks against Adobe ColdFusion,” the company said in a security bulletin released this Tuesday.
Although the flaw also affects ColdFusion 2016 and ColdFusion 11 installations, Adobe no longer provides security updates for versions that are out of support.
Administrators are advised to install security updates as soon as possible (within 72 hours if possible) and apply the security configuration settings specified in the ColdFusion 2018 and ColdFusion 2021 blocking guides.
Security updates are labeled as urgent by CISA, researchers
CISA has given all US Civilian Executive Branch (FCEB) agencies three weeks until April 5 to secure their systems against potential attacks using CVE-2023-26360 exploits.
Although the November 2021 Mandatory Operating Instruction (BOD 22-01) that follows the CISA order applies only to federal agencies, all organizations are strongly encouraged to patch their systems to thwart exploitation attempts that could target their networks.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
While Adobe also published a separate blog post announcing the ColdFusion 2021 and March 2018 2023 security updates, it did not mention that the patched security vulnerabilities were also exploited in the wild.
Charlie Arehart, one of the two security researchers responsible for discovering and reporting the CVE-2023-26360 bug, warned ColdFusion administrators in a comment on Adobe’s blog post about the real importance of security updates and the need to fix them urgently.
“This security fix is ​​much more important than the wording of this blog post suggests, or even what the update techs would suggest,” Arehart warned.
“To be clear, I have personally seen both ‘arbitrary code execution’ and ‘arbitrary file system read’ vulnerabilities executed on multiple servers, and this is serious.”