CISA Adds Adobe ColdFusion Flaw to Exploited Vulnerabilities Catalog

The flaw can result in arbitrary code execution in the context of the current user.

The US and Infrastructure Security Agency (CISA) has included a critical flaw, identified as CVE-2023-26359 with a CVSS score of 9.8, affecting ColdFusion in its Known Exploited Vulnerabilities Catalog. This information was reported by Security Affairs.

Details of the Vulnerability

The flaw, which Adobe addressed in March 2023, pertains to the deserialization of untrusted data in Adobe ColdFusion. This can result in arbitrary code execution in the context of the current user. Adobe's advisory highlighted that Coldfusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) of ColdFusion are susceptible to this vulnerability. Notably, the exploitation of this flaw does not necessitate user interaction. Adobe has acknowledged a few instances of attacks exploiting this flaw in the wild.

Mandate for Federal Agencies

In line with CISA´s Binding Operational Directive (BOD) 22-01, which aims to mitigate the substantial risk of known exploited vulnerabilities, US Federal Civilian Executive Branch Agencies (FCEB) are required to address these identified vulnerabilities by a specified deadline to safeguard their networks from potential attacks. The deadline set by CISA for federal agencies to rectify this flaw is September 11, 2023. Experts also advise private organizations to review the Catalog and address any vulnerabilities present in their infrastructure.

Earlier Exploits and Adobe's Response

Adobe had previously warned about a critical zero-day flaw in its ColdFusion web app development platform, which had been exploited in a limited number of attacks. This flaw, designated as CVE-2023-26360 with a CVSS base score of 8.6, pertains to Improper Access Control, allowing remote attackers to execute arbitrary code. This vulnerability could also lead to arbitrary file system reads and memory leaks. The company also rectified a ColdFusion Path Traversal flaw, CVE-2023-26361, which can lead to memory leaks. In March 2023, Adobe released multiple patches addressing a total of 105 vulnerabilities across various products. However, only the patch for ColdFusion was listed as being actively exploited.