The
U.S.
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
on
March
15
added
a
security
vulnerability
impacting
Adobe
ColdFusion
to
its
Known
Exploited
Vulnerabilities
(KEV)
catalog,
based
on
evidence
of
active
exploitation.
The
critical
flaw
in
question
is
CVE-2023-26360
(CVSS
score:
8.6),
which
could
be
exploited
by
a
threat
actor
to
achieve
arbitrary
code
execution.
“Adobe
ColdFusion
contains
an
improper
access
control
vulnerability
that
allows
for
remote
code
execution,”
CISA
said.
The
vulnerability
impacts
ColdFusion
2018
(Update
15
and
earlier
versions)
and
ColdFusion
2021
(Update
5
and
earlier
versions).
It
has
been
addressed
in
versions
Update
16
and
Update
6,
respectively,
released
on
March
14,
2023.
It’s
worth
noting
that
CVE-2023-26360
also
affects
ColdFusion
2016
and
ColdFusion
11
installations,
but
are
no
longer
supported
by
the
software
company
as
they
have
reached
end-of-life
(EoL).
While
the
exact
details
surrounding
the
nature
of
the
attacks
are
unknown,
Adobe
said
in
an
advisory
that
it’s
aware
of
the
flaw
being
“exploited
in
the
wild
in
very
limited
attacks.”
WEBINAR
Discover
the
Hidden
Dangers
of
Third-Party
SaaS
Apps
Are
you
aware
of
the
risks
associated
with
third-party
app
access
to
your
company’s
SaaS
apps?
Join
our
webinar
to
learn
about
the
types
of
permissions
being
granted
and
how
to
minimize
risk.
Federal
Civilian
Executive
Branch
(FCEB)
agencies
are
required
to
apply
the
updates
by
April
5,
2023,
to
safeguard
their
networks
against
potential
threats.
Charlie
Arehart,
a
security
researcher
credited
with
discovering
and
reporting
the
flaw
alongside
Pete
Freitag,
described
it
as
a
“grave”
issue
that
could
result
in
“arbitrary
code
execution”
and
“arbitrary
file
system
read.”