CISA has added a critical vulnerability impacting the 2021 and 2018 versions of Adobe ColdFusion to its catalog of exploited security bugs in the wild.
This critical arbitrary code execution flaw (CVE-2023-26360) is due to a Bad access control weakness, and it can be abused remotely by unauthenticated attackers in low complexity attacks that do not require user interaction.
Adobe patched the Application Server vulnerability in ColdFusion 2018 Update 16 and ColdFusion 2021 Update 6 and said it was being exploited in zero-day attacks.
“Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion,” the company said. said in a safety notice published on Tuesday.
Although the flaw also affects ColdFusion 2016 and ColdFusion 11 installations, Adobe no longer provides security updates for unsupported versions.
Administrators are advised to install security updates as soon as possible (within 72 hours, if possible) and apply the security configuration settings described in the Cold Fusion 2018 And Cold Fusion 2021 containment guides.
Security Updates Deemed Urgent by CISA and Researchers
CISA has given all U.S. Federal Civilian Executive Branch (FCEB) agencies three weeks, until April 5to secure their systems against potential attacks using the CVE-2023-26360 exploits.
Even if the month of November 2021 Binding Operational Directive (BOD 22-01) behind the CISA order only applies to federal agencies, all organizations are strongly urged to patch their systems to thwart exploit attempts that may target their networks.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
While Adobe has also released a separate blog post announcing ColdFusion 2021 and 2018 March 2023 security updates, he failed to mention that the patched security vulnerabilities were also being exploited in the wild.
Charlie Arehart, one of two security researchers credited with discovering and reporting bug CVE-2023-26360, warned ColdFusion administrators in a comment on Adobe’s blog about the real importance of updates to security and the need to correct them urgently.
“This security patch is far more important than the wording of this blog post suggests and even than the technical patch notes suggest,” Arehart said. warned.
“To be clear, I have personally seen the ‘arbitrary code execution’ and ‘arbitrary filesystem read’ vulnerabilities perpetrated on multiple servers, and this is serious.”