The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Adobe ColdFusion, tracked as CVE-2023-26360 (CVSS score: 8.6), to its Known Exploited Vulnerabilities Catalog. This week, Adobe released security updates for ColdFusion versions 2021 and 2018 to resolve the flaw, which has been exploited in very limited attacks.
"Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion," said the company in an advisory. The vulnerability is an Improper Access Control that can allow a remote attacker to execute arbitrary code, as well as arbitrary file system read and memory leak.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies must address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. CISA orders federal agencies to fix this flaw by April 5, 2023. Private organizations are also encouraged to review the Catalog and address the vulnerabilities in their infrastructure.