Summary
In April 2023, Adobe fixed a high severity deserialization vulnerability (CVE-2023-26360, CVSS 8.6) in Adobe ColdFusion. Adobe ColdFusion is a web application development platform that uses the ColdFusion Markup Language (CFML) for server-side scripting. A threat actor can exploit this remote deserialization of untrusted data vulnerability to achieve remote code execution (RCE) on a target system. Adobe has stated they are aware that this vulnerability has been exploited in limited attacks.
On December 5, 2023, CISA published an advisory disclosing that between June and July 2023 this vulnerability was exploited to compromise at least two public-facing servers belonging to a Federal Civilian Executive Branch (FCEB) agency.
Recommendation for CVE-2023-26360
Update Adobe ColdFusion to Fixed Version
Arctic Wolf strongly recommends upgrading Adobe ColdFusion to the latest fixed version.
Product | Affected Version | Fixed Version |
Adobe ColdFusion 2018 | Update 15 and earlier versions | Update 16 |
Adobe ColdFusion 2021 | Update 5 and earlier versions | Update 6 |
Please follow your organization’s patching and testing guidelines to avoid operational impact.