CVE-2023-26360: RCE Vulnerability in Adobe ColdFusion

Share :


In April 2023, Adobe fixed a high severity deserialization vulnerability (CVE-2023-26360, CVSS 8.6) in Adobe ColdFusion. Adobe ColdFusion is a web application development platform that uses the ColdFusion Markup Language (CFML) for server-side scripting. A threat actor can exploit this remote deserialization of untrusted data vulnerability to achieve remote code execution (RCE) on a target system. Adobe has stated they are aware that this vulnerability has been exploited in limited attacks.

On December 5, 2023, CISA published an advisory disclosing that between June and July 2023 this vulnerability was exploited to compromise at least two public-facing servers belonging to a Federal Civilian Executive Branch (FCEB) agency.

Recommendation for CVE-2023-26360

Update Adobe ColdFusion to Fixed Version

Arctic Wolf strongly recommends upgrading Adobe ColdFusion to the latest fixed version.

Product Affected Version Fixed Version
Adobe ColdFusion 2018 Update 15 and earlier versions Update 16
Adobe ColdFusion 2021 Update 5 and earlier versions Update 6

Please follow your organization’s patching and testing guidelines to avoid operational impact.


  1. Adobe Security Bulletin
  2. CISA
Picture of Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security, holds a degree in Cybersecurity Engineering, and is a CISSP.
Share :
Table of Contents
Subscribe to our Monthly Newsletter