The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 15 added a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The critical flaw in question is CVE-2023-26360 (CVSS score: 8.6), which could be exploited by a threat actor to achieve arbitrary code execution.
“Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution,” CISA said.
The vulnerability impacts ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions). It has been addressed in versions Update 16 and Update 6, respectively, released on March 14, 2023.
It’s worth noting that CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations, both of which are no longer supported by the software company as they have reached end-of-life (EoL).
While the exact details surrounding the nature of the attacks are unknown, Adobe said in an advisory that it’s aware of the flaw being “exploited in the wild in very limited attacks.”
Federal Civilian Executive Branch (FCEB) agencies are required to apply the updates by April 5, 2023, to safeguard their networks against potential threats.
Charlie Arehart, a security researcher credited with discovering and reporting the flaw alongside Pete Freitag, described it as a “grave” issue that could result in “arbitrary code execution” and “arbitrary file system read.”