CVE-2023-26360: RCE Vulnerability in Adobe ColdFusion

July 17, 2023
by Andres Ramos

Summary

In April 2023, Adobe fixed a high severity deserialization vulnerability (CVE-2023-26360, CVSS 8.6) in Adobe ColdFusion. Adobe ColdFusion is a web application development platform that uses the ColdFusion Markup Language (CFML) for server-side scripting. A threat actor can exploit this remote deserialization of untrusted data vulnerability to achieve remote code execution (RCE) on a target system. Adobe has stated they are aware that this vulnerability has been exploited in limited attacks.

On December 5, 2023, CISA published an advisory disclosing that between June and July 2023 this vulnerability was exploited to compromise at least two public-facing servers belonging to a Federal Civilian Executive Branch (FCEB) agency.

Recommendation for CVE-2023-26360

Update Adobe ColdFusion to Fixed Version

Arctic Wolf strongly recommends upgrading Adobe ColdFusion to the latest fixed version.

Product	Affected Version	Fixed Version
Adobe ColdFusion 2018	Update 15 and earlier versions	Update 16
Adobe ColdFusion 2021	Update 5 and earlier versions	Update 6

Please follow your organization’s patching and testing guidelines to avoid operational impact.

© 2025 Arctic Wolf Networks Inc. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Accessibility Statement	Information Security	Sustainability Statement	Cookies Settings

Platform

Concierge

Journey

Reduce Attack Frequency

Reduce Attack Severity

Transfer Risk

Get Started

Why Arctic Wolf

Expertise by Topic

Incident Response Timelines

Expertise by Industry

Resource Center

Trending Resources

The Arctic Wolf Threat Report draws upon the first-hand experience of our security experts, augmented by research from our threat intelligence team.

The Arctic Wolf State of Cybersecurity: 2025 Trends Report serves as an opportunity for decision makers to share their experiences over the past 12 months and their perspectives on some of the most important issues shaping the IT and security landscape.

Join Arctic Wolf on an interactive journey to discover a better path past the hazards of the modern threat landscape.

Security Bulletins

Microsoft Patch Tuesday October 2025

CVE-2025-61884: Oracle Releases Emergency Patch for Information Disclosure Flaw

SonicWall Concludes Investigation Into Incident Affecting MySonicWall Configuration Backup Files

Partners

Company

Careers

Press

Brand Partnerships

CVE-2023-26360: RCE Vulnerability in Adobe ColdFusion

Summary

Recommendation for CVE-2023-26360

Update Adobe ColdFusion to Fixed Version

References

Popular Topics

Share this post:

What to read next

9 min read

Implementing Effective Security Awareness Training for Employees: Top Challenges and How To Solve Them

11 min read

Microsoft Patch Tuesday October 2025

9 min read

Key Capabilities and Benefits of an MDR Solution

4 min read

The Human Element: Navigating the Widening Gap Between Confidence and Reality in Cybersecurity

Arctic Wolf Networks 8939 Columbine Rd Eden Prairie, MN 55347

1.888.272.8429

© 2025 Arctic Wolf Networks Inc. All Rights Reserved.

Privacy Notice

Terms of Use

Cookie Policy

Accessibility Statement

Information Security

Sustainability Statement

Cookies Settings

Arctic Wolf Networks
8939 Columbine Rd
Eden Prairie, MN 55347