CISA Adds Adobe ColdFusion Bug to Known Exploited Vulnerabilities Catalog

March 16, 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Adobe ColdFusion, tracked as CVE-2023-26360 (CVSS score: 8.6), to its Known Exploited Vulnerabilities Catalog. This week, Adobe released security updates for ColdFusion versions 2021 and 2018 to resolve the flaw, which has been exploited in very limited attacks.

"Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion," said the company in an advisory. The vulnerability is an Improper Access Control that can allow a remote attacker to execute arbitrary code, as well as arbitrary file system read and memory leak.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies must address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. CISA orders federal agencies to fix this flaw by April 5, 2023. Private organizations are also encouraged to review the Catalog and address the vulnerabilities in their infrastructure.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.