The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on March 15 added a safety vulnerability impacting Adobe ColdFusion to its Identified Exploited Vulnerabilities (KEV) catalog, primarily based on proof of lively exploitation.
The important flaw in query is CVE-2023-26360 (CVSS rating: 8.6), which might be exploited by a risk actor to realize arbitrary code execution.
“Adobe ColdFusion comprises an improper entry management vulnerability that enables for distant code execution,” CISA mentioned.
The vulnerability impacts ColdFusion 2018 (Replace 15 and earlier variations) and ColdFusion 2021 (Replace 5 and earlier variations). It has been addressed in variations Replace 16 and Replace 6, respectively, launched on March 14, 2023.
It is price noting that CVE-2023-26360 additionally impacts ColdFusion 2016 and ColdFusion 11 installations, however are not supported by the software program firm as they’ve reached end-of-life (EoL).
Whereas the precise particulars surrounding the character of the assaults are unknown, Adobe mentioned in an advisory that it is conscious of the flaw being “exploited within the wild in very restricted assaults.”
Uncover the Hidden Risks of Third-Get together SaaS Apps
Are you conscious of the dangers related to third-party app entry to your organization’s SaaS apps? Be a part of our webinar to be taught in regards to the kinds of permissions being granted and easy methods to reduce danger.
Federal Civilian Govt Department (FCEB) businesses are required to use the updates by April 5, 2023, to safeguard their networks towards potential threats.
Charlie Arehart, a safety researcher credited with discovering and reporting the flaw alongside Pete Freitag, described it as a “grave” problem that would end in “arbitrary code execution” and “arbitrary file system learn.”