⚠ Actively exploited

Added to CISA KEV on 2023-03-15. Federal agencies required to patch by 2023-04-05. Required action: Apply updates per vendor instructions..

CVE-2023-26360 — Improper Access Control in Adobe Coldfusion

CWE-284 — Improper Access Control18 documents12 sources

Severity

9.8CRITICALNVD

CNA8.6VulnCheck8.6

EPSS

94.3%

top 0.05%

CISA KEV

KEV

Added 2023-03-15

Due 2023-04-05

Exploit

Exploited in wild

Active exploitation observed

Affected products

Adobe Coldfusion

Timeline

KEV addedMar 15

PublishedMar 23

KEV dueApr 5

Latest updateJan 12

CISA Required Action: Apply updates per vendor instructions.

Description

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5adobe/coldfusionunspecified — CF2018U15+2

▶NVDadobe/coldfusion2018, 2021+1

Patches

Patch: helpx.adobe.com ↗Patch: helpx.adobe.com ↗

🔴Vulnerability Details

GHSA

GHSA-p86r-cr5m-73hp: Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that c↗2023-03-23

▶

CVEList

Adobe ColdFusion Improper Access Control Arbitrary code execution↗2023-03-23

▶

VulnCheck

Adobe ColdFusion Deserialization of Untrusted Data Vulnerability↗2023

▶

💥Exploits & PoCs

Exploit-DB

Adobe ColdFusion versions 2018_15 (and earlier) and 2021_5 and earlier - Arbitrary File Read↗2024-03-11

▶

Nuclei

Adobe ColdFusion - Local File Read

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M1↗2023-12-06

▶

Suricata

ET WEB_SPECIFIC_APPS Adobe Coldfusion Local File Inclusion Attempt (CVE-2023-26360, CVE-2023-26359) M2↗2023-12-06

▶

Suricata

ET EXPLOIT Adobe ColdFusion Deserialization of Untrusted Data (CVE-2023-26360) M1↗2023-12-05

▶

Suricata

ET EXPLOIT Adobe ColdFusion Deserialization of Untrusted Data (CVE-2023-26360) M2↗2023-12-05

▶

Suricata

ET EXPLOIT Adobe ColdFusion Deserialization of Untrusted Data (CVE-2023-26360) M3↗2023-12-05

▶

📋Vendor Advisories

CISA

Adobe ColdFusion Deserialization of Untrusted Data Vulnerability↗2023-03-15

▶

🕵️Threat Intelligence

Wiz

Crying Out Cloud - January Newsletter | Wiz↗2024-01-01

▶

Bleepingcomputer

Hackers breach US govt agencies using Adobe ColdFusion exploit↗2023-12-05

▶

Sentinelone

CVE-2023-26360: A Critical Vulnerability in Adobe ColdFusion↗2023-05-25

▶

Sentinelone

CVE-2023-26360: A Critical Vulnerability in Adobe ColdFusion↗2023-05-25

▶

💬Community

HackerOne

Unauthenticated File Read Adobe ColdFusion↗2026-01-12

▶

HackerOne

Unauthenticated File Read Adobe ColdFusion↗2023-12-21

▶