CVE-2023-26360

Name of the Vulnerable Software and Affected Versions Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier)

Description The vulnerability in Adobe ColdFusion is related to improper access control and deserialization of untrusted data, which could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Threat actors have been exploiting this vulnerability to gain initial access to government servers. The estimated number of potentially affected devices worldwide is not specified, but the vulnerability has been exploited in real-world incidents, including breaches of US government agencies.

Recommendations For Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier), update to a newer version that contains a fix for this vulnerability, such as Adobe ColdFusion 2018 Update 16 or later. As a temporary workaround, consider restricting access to the vulnerable ColdFusion server until a patch is available. Additionally, follow recommended mitigations, such as those provided by CISA, to protect against exploitation of this vulnerability.