CISA has added a critical vulnerability impacting Adobe ColdFusion versions 2021 and 2018 to its catalog of security bugs exploited in the wild.
This critical arbitrary code execution flaw (CVE-2023-26360) is due to an Improper Access Control weakness, and it can be abused remotely by unauthenticated attackers in low-complexity attacks that don’t require user interaction.
Adobe addressed the application server vulnerability in ColdFusion 2018 Update 16 and ColdFusion 2021 Update 6 and said it was exploited in attacks as a zero-day.
While the flaw also affects ColdFusion 2016 and ColdFusion 11 installations, Adobe no longer provides security updates for versions that are out of support.
Administrators are advised to install the security updates as soon as possible (within 72 hours, if possible) and apply security configuration settings outlined in the ColdFusion 2018 and ColdFusion 2021 lockdown guides.
Security updates tagged as urgent by CISA, researchers
CISA has given all U.S. Federal Civilian Executive Branch Agencies (FCEB) agencies three weeks, until April 5, to secure their systems against potential attacks using CVE-2023-26360 exploits.
Even though the November 2021 binding operational directive (BOD 22-01) behind CISA’s order only applies to federal agencies, all organizations are strongly urged to patch their systems to thwart exploitation attempts that might target their networks.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
While Adobe also published a separate blog post announcing the ColdFusion 2021 and 2018 March 2023 Security Updates, it failed to mention that the patched security vulnerabilities were also exploited in the wild.
Charlie Arehart, one of the two security researchers credited for discovering and reporting the CVE-2023-26360 bug, warned ColdFusion admins in a comment to Adobe’s blog post of the security updates’ actual importance and the need to patch them urgently.
“This security fix is far more important than the wording of this blog post suggests and even that the update technotes would suggest,” Arehart warned.
“To be clear, I HAVE personally seen both the ‘arbitrary code execution’ and ‘arbitrary file system read’ vulnerabilities having been perpetrated on multiple servers, and it IS grave.”