Project Hyphae
Search

Winter is coming… and so is CVE-2023-26360: Critical Adobe ColdFusion Vulnerability Exploited in the Wild

Share This Post

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability, CVE-2023-26360, that affects Adobe ColdFusion 2018 and 2021 versions to its catalog of security bugs that have been exploited in the wild. This flaw is due to an Improper Access Control weakness and can be remotely abused by unauthenticated attackers in low-complexity attacks that don’t require user interaction. Adobe has patched this vulnerability in ColdFusion 2018 Update 16 and ColdFusion 2021 Update 6, and it has been used as a zero-day vulnerability in limited attacks targeting Adobe ColdFusion. The administrators are advised to install security updates and apply security configuration settings outlined in the ColdFusion 2018 and ColdFusion 2021 lockdown guides. The CISA has given all US Federal Civilian Executive Branch Agencies (FCEB) agencies three weeks to secure their systems against potential attacks using CVE-2023-26360 exploits.

Links:

https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html

https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusion-bug-exploited-as-a-zero-day/

ColdFusion 2018 lockdown guide:

https://helpx.adobe.com/coldfusion/using/server-lockdown.html

ColdFusion 2021 lockdown guide:

https://www.adobe.com/content/dam/cc/us/en/products/coldfusion/pdfs/cf-starter-kits/coldfusion-2021-lockdown-guide-1.1.pdf



Reach out to our incident response team for help

More To Explore

Information Security News 3-25-2024

Developer Sues Minnesota Contractor After $735K Payment Disappears Article Link: https://www.constructiondive.com/news/beck-sues-ryan-fsa-title-cybercrime/710708/ Truck-to-Truck Worm Could Infect and Disrupt Entire US Commercial Fleet Article Link: https://www.theregister.com/2024/03/22/boffins_tucktotruck_worm/ NIST’s

Information Security News 3-18-2024

Threat Actors Leaked 70 Million Records Allegedly Stolen From AT&T Article Link: https://securityaffairs.com/160627/data-breach/70m-att-records-leaked.html Former Telecom Manager Admits to Doing SIM Swaps for $1,000 Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.