The US Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two critical security flaws exploited in attacks, including one as a zero-day.

According to Binding Operational Directive (BOD 22-01) issued by CISA in November 2021, civilian federal executive branch (FCEB) agencies are required to patch their systems against all bugs added to the Known Exploited Vulnerabilities (KEV) catalog.

With the latest update, all US FCEB agencies have been instructed to fix both bugs (CVE-2023-29298 And CVE-2023-38205) before August 10.

Although the catalog primarily focuses on federal agencies, private companies are strongly advised to prioritize and quickly address both vulnerabilities.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said. said.

Confusion ColdFusion

Adobe patched the CVE-2023-29298 and CVE-2023-29300 RCE pre-authentication access control bypass vulnerabilities on July 11. The company also mistakenly alerted customers that CVE-2023-29300 was being exploited and later removed the warning.

Two days later, Rapid7 said it observed attackers chaining together exploits for CVE-2023-29298 and what looked like CVE-2023-29300/CVE-2023-38203 flaws to deploy web shells to vulnerable ColdFusion servers to gain initial access to stolen devices.

Monday, July 17, Rapid7 found a workaround for patch CVE-2023-29298 (now tracked as CVE-2023-38205) already exploited in attacks.

“Rapid7 researchers determined on Monday, July 17 that the fix provided by Adobe for CVE-2023-29298 on July 11 is incomplete and that a trivially modified exploit still works against the latest version of ColdFusion (released July 14),” Rapid7 said.

Adobe released emergency security updates to tackle the new actively exploited zero-day CVE-2023-38205 on July 19, warning customers that it was being abused in the wild “in limited attacks targeting Adobe ColdFusion.”

CISA issued a second order this week asking federal agencies to securing vulnerable Citrix servers against the CVE-2023-3519 remote code execution (RCE) bug by August 9th.

As revealed by Shadowserver Foundation security researchers, at least 11,170 Citrix Netscaler appliances exposed online are likely vulnerable to attacks exploiting the flaw.