The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability, CVE-2023-26360, that affects Adobe ColdFusion 2018 and 2021 versions to its catalog of security bugs that have been exploited in the wild. This flaw is due to an Improper Access Control weakness and can be remotely abused by unauthenticated attackers in low-complexity attacks that don’t require user interaction. Adobe has patched this vulnerability in ColdFusion 2018 Update 16 and ColdFusion 2021 Update 6, and it has been used as a zero-day vulnerability in limited attacks targeting Adobe ColdFusion. The administrators are advised to install security updates and apply security configuration settings outlined in the ColdFusion 2018 and ColdFusion 2021 lockdown guides. The CISA has given all US Federal Civilian Executive Branch Agencies (FCEB) agencies three weeks to secure their systems against potential attacks using CVE-2023-26360 exploits.
ColdFusion 2018 lockdown guide:
ColdFusion 2021 lockdown guide: