CVE-2023-26359
published 2023-03-23CVE-2023-26359: Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2023-09-11
Exploited in the wild
EPSS
17.94%
96.8th percentile
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | unspecified – CF2018U15, CF2021U5 | — |
Detection & IOCsextracted from sources · hover to see the quote
url.cfc?
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".cfc?"; content:"method|3d|"; content:"_cfclient|3d|true"; fast_pattern; http.request_body; content:"_variables|3d 7b|"; startswith; reference:cve,2023-26359; reference:cve,2023-26360; reference:url,realalphaman.medium.com/adobe-coldfusion-lfi-lead-to-rce-cve-2023-26359-cve-2023-26360-bd1c4b0e24bc; classtype:attempted-admin; sid:2049530; rev:3; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2023_12_06, cve CVE_2023_26360_CVE_2023_26359, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".cfc?"; content:"method|3d|"; content:"_cfclient|3d|true"; fast_pattern; http.request_body; content:"_variables|3d|%7b"; startswith; nocase; reference:cve,2023-26359; reference:cve,2023-26360; reference:url,realalphaman.medium.com/adobe-coldfusion-lfi-lead-to-rce-cve-2023-26359-cve-2023-26360-bd1c4b0e24bc; classtype:attempted-admin; sid:2049531; rev:3; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2023_12_06, cve CVE_2023_26360_CVE_2023_26359, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
_cfclient|3d|true
bytes
_variables|3d 7b|
bytes
_variables|3d|%7b
- →Exploit traffic uses HTTP POST to a .cfc endpoint with URI parameters method= and _cfclient=true, and a request body starting with _variables={ (raw or URL-encoded). Both M1 (literal brace) and M2 (URL-encoded %7b) variants should be covered.
- →GreyNoise tagged active scanning/exploitation attempts under the tag 'Adobe ColdFusion RCE CVE-2023-26359 Attempt'; monitor for IPs carrying this tag. ↗
- →The vulnerability is a deserialization of untrusted data flaw exploitable without user interaction; monitor ColdFusion servers for unexpected outbound connections or process spawning following POST requests to .cfc endpoints. ↗
- ·The Snort rules (sid:2049530 and sid:2049531) cover both CVE-2023-26359 and CVE-2023-26360 together; they cannot distinguish between the two CVEs individually.
- ·Rules require SSL/TLS inspection (deployment tag SSLDecrypt) to be effective against HTTPS-protected ColdFusion endpoints.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p4mq-mqpj-7xcj: Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerabili
ghsa_unreviewed·2023-03-23
CVE-2023-26359 [CRITICAL] CWE-502 GHSA-p4mq-mqpj-7xcj: Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerabili
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.
VulnCheck
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-26359 [CRITICAL] CWE-502 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that could result in code execution in the context of the current user.
Affected: Adobe ColdFusion
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortiguard.com/outbreak-alert/adobe-coldfusion-code-execution; https://www.fortiguard.com/outbreak-alert/adobe-coldfusion-access-bypass; https://www.labs.greynoise.io/grimoire/2025-12-26-coldfusion/
Remediation Due: 2023-09-11
CISA
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
cisa·2023-08-21·CVSS 9.8
CVE-2023-26359 [CRITICAL] CWE-502 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
Vulnerability: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
Affected: Adobe ColdFusion
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that could result in code execution in the context of the current user.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://helpx.adobe.com/security/products/coldfusion/apsb23-25.html; https://nvd.nist.gov/vuln/detail/CVE-2023-26359
Remediation Due Date: 2023-09-11
Suricata
ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M1
suricata·2023-12-06·CVSS 9.8
CVE-2023-26359 [CRITICAL] ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M1
ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".cfc?"; content:"method|3d|"; content:"_cfclient|3d|true"; fast_pattern; http.request_body; content:"_variables|3d 7b|"; startswith; reference:cve,2023-26359; reference:cve,2023-26360; reference:url,realalphaman.medium.com/adobe-coldfusion-lfi-lead-to-rce-cve-2023-26359-cve-2023-26360-bd1c4b0e24bc; classtype:attempted-admin; sid:2049530; rev:3; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2023_12_06, cve CVE_2023_26360_CVE_2023_263
Suricata
ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M2
suricata·2023-12-06·CVSS 9.8
CVE-2023-26359 [CRITICAL] ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M2
ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".cfc?"; content:"method|3d|"; content:"_cfclient|3d|true"; fast_pattern; http.request_body; content:"_variables|3d|%7b"; startswith; nocase; reference:cve,2023-26359; reference:cve,2023-26360; reference:url,realalphaman.medium.com/adobe-coldfusion-lfi-lead-to-rce-cve-2023-26359-cve-2023-26360-bd1c4b0e24bc; classtype:attempted-admin; sid:2049531; rev:3; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2023_12_06, cve CVE_2023_26360_CVE_
No public exploits indexed.
Greynoiseio
GreyNoise Round Up: Product Updates
blogs_greynoiseio
GreyNoise Round Up: Product Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2023-03-23
Published
2023-08-21
Added to CISA KEV
Exploited in the wild