cbcvebase.
CVE-2023-26359
published 2023-03-23

CVE-2023-26359: Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-09-11
Exploited in the wild
EPSS
17.94%
96.8th percentile
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

Affected

3 ranges
VendorProductVersion rangeFixed in
adobecoldfusion
adobecoldfusion
adobecoldfusionunspecified – CF2018U15, CF2021U5

Detection & IOCsextracted from sources · hover to see the quote

url.cfc?
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".cfc?"; content:"method|3d|"; content:"_cfclient|3d|true"; fast_pattern; http.request_body; content:"_variables|3d 7b|"; startswith; reference:cve,2023-26359; reference:cve,2023-26360; reference:url,realalphaman.medium.com/adobe-coldfusion-lfi-lead-to-rce-cve-2023-26359-cve-2023-26360-bd1c4b0e24bc; classtype:attempted-admin; sid:2049530; rev:3; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2023_12_06, cve CVE_2023_26360_CVE_2023_26359, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".cfc?"; content:"method|3d|"; content:"_cfclient|3d|true"; fast_pattern; http.request_body; content:"_variables|3d|%7b"; startswith; nocase; reference:cve,2023-26359; reference:cve,2023-26360; reference:url,realalphaman.medium.com/adobe-coldfusion-lfi-lead-to-rce-cve-2023-26359-cve-2023-26360-bd1c4b0e24bc; classtype:attempted-admin; sid:2049531; rev:3; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2023_12_06, cve CVE_2023_26360_CVE_2023_26359, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
_cfclient|3d|true
bytes
_variables|3d 7b|
bytes
_variables|3d|%7b
  • Exploit traffic uses HTTP POST to a .cfc endpoint with URI parameters method= and _cfclient=true, and a request body starting with _variables={ (raw or URL-encoded). Both M1 (literal brace) and M2 (URL-encoded %7b) variants should be covered.
  • GreyNoise tagged active scanning/exploitation attempts under the tag 'Adobe ColdFusion RCE CVE-2023-26359 Attempt'; monitor for IPs carrying this tag.
  • The vulnerability is a deserialization of untrusted data flaw exploitable without user interaction; monitor ColdFusion servers for unexpected outbound connections or process spawning following POST requests to .cfc endpoints.
  • ·The Snort rules (sid:2049530 and sid:2049531) cover both CVE-2023-26359 and CVE-2023-26360 together; they cannot distinguish between the two CVEs individually.
  • ·Rules require SSL/TLS inspection (deployment tag SSLDecrypt) to be effective against HTTPS-protected ColdFusion endpoints.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.