Project Hyphae

Winter is coming… and so is CVE-2023-26360: Critical Adobe ColdFusion Vulnerability Exploited in the Wild

Share This Post

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability, CVE-2023-26360, that affects Adobe ColdFusion 2018 and 2021 versions to its catalog of security bugs that have been exploited in the wild. This flaw is due to an Improper Access Control weakness and can be remotely abused by unauthenticated attackers in low-complexity attacks that don’t require user interaction. Adobe has patched this vulnerability in ColdFusion 2018 Update 16 and ColdFusion 2021 Update 6, and it has been used as a zero-day vulnerability in limited attacks targeting Adobe ColdFusion. The administrators are advised to install security updates and apply security configuration settings outlined in the ColdFusion 2018 and ColdFusion 2021 lockdown guides. The CISA has given all US Federal Civilian Executive Branch Agencies (FCEB) agencies three weeks to secure their systems against potential attacks using CVE-2023-26360 exploits.


ColdFusion 2018 lockdown guide:

ColdFusion 2021 lockdown guide:

Reach out to our incident response team for help

More To Explore

Information Security News 9-18-2023

Iranian Cyberspies Target Thousands of Organizations with Password Spray Attacks Article Link: Requests via Facebook Messenger Lead to Hijacked Business Accounts Article Link:

Information Security News 9-11-2023

University of Michigan Requires Password Resets After Cyberattack Article Link: Attackers Accessed UK Military Data Through High-Security Fencing Firm’s Windows 7 Rig Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.