CISA Adds Critical Adobe ColdFusion Vulnerability to Its Exploited Catalog

August 22, 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a serious security vulnerability in Adobe ColdFusion, based on evidence of its active abuse. This vulnerability, known as CVE-2023-26359, is a deserialization flaw found in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier). This flaw could potentially allow arbitrary code execution in the context of the current user, without any user interaction required.

Deserialization, or unmarshaling, is the process of reconstructing a data structure or object from a series of bytes. However, when this process is performed without validating the source or sanitizing the contents, it can lead to unforeseen consequences such as code execution or denial-of-service (DoS). Adobe patched this vulnerability as part of updates it released in March 2023.

At the moment, it is not immediately clear how this flaw is being exploited in real-world scenarios. However, this update comes more than five months after CISA added another vulnerability (CVE-2023-26360) affecting the same product to the KEV catalog. Adobe has acknowledged that it is aware of this vulnerability being exploited in 'very limited attacks' targeting ColdFusion.

Given the active exploitation of this vulnerability, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary patches by September 11, 2023, in order to safeguard their networks against potential threats.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.