cbcvebase.
CVE-2023-26360
published 2023-03-23

CVE-2023-26360: Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-04-05
Exploited in the wild
EPSS
97.11%
99.9th percentile
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

Affected

3 ranges
VendorProductVersion rangeFixed in
adobecoldfusion
adobecoldfusion
adobecoldfusionunspecified – CF2018U15

Detection & IOCsextracted from sources · hover to see the quote

url/CFIDE/adminapi/_datasource/setmsaccessRegistry.cfm
url/CFIDE/adminapi/_datasource/setsldatasource.cfm
url/CFIDE/adminapi/_datasource/setdsn.cfm
url/CFIDE/adminapi/_datasource/formatjdbcurl.cfm
url/CFIDE/adminapi/_datasource/getaccessdefaultsfromRegistry.cfm
url/CFIDE/adminapi/_datasource/geturldefaults.cfm
url/CFIDE/adminapi/customtags/l10n.cfm
url/CFIDE/adminapi/serverinstance.cfc
url/CFIDE/adminapi/servermonitoring.cfc
filenameUA4fp7R.aspx
filenameWRBYTR5750images.aspx
pathwwwroot\Images
filenamei.bat
filenameDisableDefender.ps1
command%windir%\system32\inetsrv\appcmd set config /section:httpLogging /dontLog:True
registryHKEY_LOCAL_MACHINE\SOFTWARE\FileZilla 3
hash8df9fa495892fc3d183917162746ef8fd9e438ff0d639264236db553b09629dc
hash3f15c4431ad4573344ad56e8384ebd62
hash311d1d50673fbfc40b84d94239cd4fa784269465
filenameApp_Web_dentsd54.dll
hash23dea3a74e3ff6a367754d02466db4c86ffda47efe09529d3aad52b0d5694b30
hasha213873eb55dc092ddf3adbeb242bd44
hash3650899c669986e5f4363fdbd6cf5b78a6fcd484
hashfca94b8b718357143c53620c6b360470
filenamedatast.dll
filenameVERSION.dll
pathc:\Users\Public\Music\data
pathC:\Windows\branding\data
pathc:\microsoft.net\framework64\v4.0.30319\temporary asp.net files\root
pathc:\sql\tools\attunitycdcoracle\x64\1033
pathc:\Windows\branding\data
bytes
ONEPIECE
bytes
x_best_911
  • Webshell activity can be detected by monitoring for OS commands (e.g., whoami) spawning from w3wp.exe (IIS worker process), which is a telltale sign of webshell execution.
  • Hunt for .aspx files placed in image directories (e.g., wwwroot\Images) as a sign of steganographic webshell deployment post-ColdFusion exploitation.
  • Detect the string 'ONEPIECE' in webshell responses or file contents — it appeared in all webshells used throughout this CVE-2023-26360 attack chain.
  • Alert on HTTP requests targeting CFIDE/adminapi paths (e.g., /CFIDE/adminapi/_datasource/, /CFIDE/adminapi/serverinstance.cfc) as these are known exploitation targets for CVE-2023-26360 and CVE-2023-29298.
  • Detect IIS log disabling via appcmd: monitor for execution of '%windir%\system32\inetsrv\appcmd set config /section:httpLogging /dontLog:True' as a post-exploitation defence impairment step.
  • Alert on bulk taskkill commands targeting security tools (sysmon.exe, sysmon64.exe, filebeat.exe, cyserver.exe, SentinelMemoryScanner.exe, SentinelUI.exe, DRwebcom.exe) followed by sc stop/delete for the same services.
  • Hunt for .NET web shell DLLs matching the filename pattern App_Web_{8}[a-z0-9].dll dropped into the ASP.NET temporary files path, associated with post-exploitation activity following CVE-2023-26360.
  • Monitor for timestomped MAC metadata on newly created webshell files, used by threat actors to corrupt forensic timelines after ColdFusion exploitation.
  • ·The exact initial access mechanism could not be confirmed due to insufficient logging; ColdFusion exploitation is inferred from historical log artifacts, not direct observation.
  • ·The Tropic Trooper/Securelist attribution of CVE-2023-26360 exploitation is assessed with only moderate confidence based on telemetry overlap, not confirmed forensic evidence.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.6HIGH
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.