Adobe ColdFusion Vulnerability Could Lead to Arbitrary Code Execution
CVE-2023-26360

8.6HIGH

Key Information:

Vendor: Adobe
Status: ColdFusion
Vendor: CVE Published:; 23 March 2023

Badges

💰 Ransomware👾 Exploit Exists🟡 Public PoC🟣 EPSS 49%🦅 CISA Reported📰 News Worthy

Summary

CVE-2023-26360 is a critical vulnerability affecting Adobe ColdFusion 2018 Update 15 and earlier, as well as ColdFusion 2021 Update 5 and earlier. This improper access control vulnerability can be exploited remotely by unauthenticated attackers to achieve arbitrary code execution without user interaction. The flaw has been exploited in the wild in a limited number of attacks. Adobe has released security updates for ColdFusion 2018 and ColdFusion 2021 to address this vulnerability. CISA has issued an urgent warning, requiring U.S. Federal Civilian Executive Branch agencies to secure their systems against potential attacks exploiting CVE-2023-26360 by April 5, 2023. It is advised for all organizations to apply the security updates to mitigate the risk and apply the necessary security configuration settings as outlined in the ColdFusion 2018 and ColdFusion 2021 lockdown guides.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply updates per vendor instructions.

Affected Version(s)

ColdFusion <= unspecified

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-26360
Created by yosef0x01

ColdFusion_EXp
Created by CuriousLearnerDev

CVE-2023-26360
Created by issamjr