The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a serious security vulnerability in Adobe ColdFusion, based on evidence of its active abuse. This vulnerability, known as CVE-2023-26359, is a deserialization flaw found in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier). This flaw could potentially allow arbitrary code execution in the context of the current user, without any user interaction required.
Deserialization, or unmarshaling, is the process of reconstructing a data structure or object from a series of bytes. However, when this process is performed without validating the source or sanitizing the contents, it can lead to unforeseen consequences such as code execution or denial-of-service (DoS). Adobe patched this vulnerability as part of updates it released in March 2023.
At the moment, it is not immediately clear how this flaw is being exploited in real-world scenarios. However, this update comes more than five months after CISA added another vulnerability (CVE-2023-26360) affecting the same product to the KEV catalog. Adobe has acknowledged that it is aware of this vulnerability being exploited in 'very limited attacks' targeting ColdFusion.
Given the active exploitation of this vulnerability, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary patches by September 11, 2023, in order to safeguard their networks against potential threats.