On Monday, the Cybersecurity and Infrastructure Security Agency (CISA) warned about a critical arbitrary code execution vulnerability (CVE-2023-26360) in Adobe ColdFusion 2018 and 2021.
Risk of Exploitation Despite Adobe's Patches for Critical Vulnerability in ColdFusion 2021 and 2018
According to the story by Bleeping Computer, Adobe corrected the issue in ColdFusion 2018 Update 16 and ColdFusion 2021 Update 6 patches. Despite this, there is still some risk of exploitation as this vulnerability was used in the wild as a zero-day attack.
Adobe has recently issued security updates for its ColdFusion version 2021 and 2018 that address a critical vulnerability rated 9.8 out of 10 on the CISA (Cybersecurity and Infrastructure Security Agency) vulnerability severity scale.
Exploitation of CVE-2023-26360 in the Wild by Malicious Cyber Actors
The issue in question, which carries the CVE-2023-26360 designation, is an Improper Access Control weakness that an unauthenticated attacker can exploit remotely in attacks not requiring any user interaction. It was noted that Adobe was aware of the CVE-2023-26360.
CISA has warned that malicious cyber actors have exploited this zero-day vulnerability in the wild. It has given all U.S. Federal Civilian Executive Branch Agencies (FCEB) a three-week deadline until April 5 to patch their systems.
The Importance of Applying the ColdFusion 2021 and 2018 March 2023 Security Updates
Adobe might not have had detailed information on what the attackers did in their post announcing the ColdFusion 2021 and 2018 March 2023 Security Updates. Still, security researcher Charlie Arehart warned ColdFusion admins of the patch's importance, emphasizing they must apply it as soon as possible.
According to Arehart, the vulnerability can allow the execution of arbitrary code and the reading of arbitrary files from the file system. He witnessed it being perpetrated on multiple servers.
Highlighting the Need for Organizations to Stay Updated with their Products' Security Patches
As such, many organizations are advised to patch their systems to ward off any potential exploitation attempts across their networks. The security updates addressing the vulnerability are now publicly available for Adobe ColdFusion 2018 Update 16 and ColdFusion 2021 Update 6.
Unfortunately, there is no support for versions before them, such as ColdFusion 2016 and 11, highlighting the need for organizations to stay updated with their products' security patches.
Adobe's Recommended Security Configurations for Mitigating Potential Effects of a Breach
While patching as soon as possible is crucial, administrators must ensure their systems have adequate security configurations. In this regard, Adobe's ColdFusion 2018 and ColdFusion 2021 lockdown guides outline best practices and configuration settings for mitigating the potential effects of a security breach.
The patching process must be carried out promptly to defend networks and sensitive data against malicious actors.
Read Also: UK Cybersecurity Center Will Review Threats Posed by TikTok Amid Calls for Ban
The Need for Timely Installation of Security Updates in Adobe ColdFusion Deployments
Therefore, to protect their systems from potentially malicious actors, organizations with Adobe ColdFusion deployments that run at expired software versions should take the necessary steps to immediately get their systems up to date by installing security updates.
Especially organizations such as US Federal Civilian Executive Branch Agencies, which are already subject to conflicting authorities within shorter time frames, must ensure the patches are installed within the given time completely.
Related Article: India to Mandate Removal of Bloatware, Pre-installed Apps on Smartphones
