Project Hyphae

Winter is coming… and so is CVE-2023-26360: Critical Adobe ColdFusion Vulnerability Exploited in the Wild

Share This Post

The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability, CVE-2023-26360, that affects Adobe ColdFusion 2018 and 2021 versions to its catalog of security bugs that have been exploited in the wild. This flaw is due to an Improper Access Control weakness and can be remotely abused by unauthenticated attackers in low-complexity attacks that don’t require user interaction. Adobe has patched this vulnerability in ColdFusion 2018 Update 16 and ColdFusion 2021 Update 6, and it has been used as a zero-day vulnerability in limited attacks targeting Adobe ColdFusion. The administrators are advised to install security updates and apply security configuration settings outlined in the ColdFusion 2018 and ColdFusion 2021 lockdown guides. The CISA has given all US Federal Civilian Executive Branch Agencies (FCEB) agencies three weeks to secure their systems against potential attacks using CVE-2023-26360 exploits.

Links:

https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html

https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusion-bug-exploited-as-a-zero-day/

ColdFusion 2018 lockdown guide:

https://helpx.adobe.com/coldfusion/using/server-lockdown.html

ColdFusion 2021 lockdown guide:

https://www.adobe.com/content/dam/cc/us/en/products/coldfusion/pdfs/cf-starter-kits/coldfusion-2021-lockdown-guide-1.1.pdf



Reach out to our incident response team for help

More To Explore

Information Security News 9-18-2023

Iranian Cyberspies Target Thousands of Organizations with Password Spray Attacks Article Link: https://www.csoonline.com/article/652668/iranian-cyberspies-target-thousands-of-organizations-with-password-spray-attacks.html Requests via Facebook Messenger Lead to Hijacked Business Accounts Article Link: https://www.helpnetsecurity.com/2023/09/12/hijacked-facebook-business-accounts/

Shane Farmer September 18, 2023

Information Security News 9-11-2023

University of Michigan Requires Password Resets After Cyberattack Article Link: https://www.bleepingcomputer.com/news/security/university-of-michigan-requires-password-resets-after-cyberattack/ Attackers Accessed UK Military Data Through High-Security Fencing Firm’s Windows 7 Rig Article Link:

Shane Farmer September 11, 2023

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.