The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of a high-severity vulnerability in Adobe ColdFusion, identified as CVE-2023-26360. Unidentified cyber actors are reportedly leveraging this flaw to gain unauthorized access to government servers.
This vulnerability is categorized as an improper access control issue, which can lead to arbitrary code execution when exploited. CISA disclosed that a federal agency was specifically targeted between June and July 2023, raising concerns about potential systemic vulnerabilities affecting critical infrastructure.
The flaw impacts ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions). Adobe has since released patches in Update 16 and Update 6, respectively, on March 14, 2023, to address this vulnerability. However, there remains a significant risk for systems that have not been updated.
CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog shortly after identifying signs of its exploitation in the real world. Adobe confirmed that while the exploitation appears to be limited, the agency reported the compromise of at least two public-facing servers that were running obsolete versions of the software.
Threat actors utilized the discovered vulnerability to initiate various commands on the compromised web servers. The exploitation enabled the deployment of malware via HTTP POST commands directed at directories associated with ColdFusion. This operation indicates the potential for reconnaissance activities as the cyber adversaries appeared to explore the broader network ecosystem without evident attempts at lateral movement or data exfiltration.
In one incident, attackers were seen navigating the filesystem and uploading malicious artifacts, including binaries capable of capturing web browser cookies and malware intended to decrypt passwords for ColdFusion data sources. Another incident reported in early June 2023 involved the deployment of a modified remote access trojan, utilizing a web shell designed for device infection through a JavaScript loader that necessitates communication with an actor-controlled server for operational commands.
The adversary also attempted to exfiltrate Windows Registry files and unsuccessfully engaged in data retrieval from a command-and-control (C2) server. CISA’s analysis suggests that threat actors likely accessed sensitive data within the ColdFusion seed.properties file through the web shell interface. This particular file is often critical, as it contains encryption parameters used for password management.
Despite the extensive exploration, CISA reported no evidence of malicious code aimed at decoding any passwords that may have been obtained through this file. This incident raises significant concerns about the risks associated with outdated software and the imperative for businesses to maintain vigilance regarding cybersecurity vulnerabilities.
