The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included a significant security vulnerability affecting Adobe ColdFusion in its Known Exploited Vulnerabilities (KEV) catalog. This action follows evidence indicating active exploitation of the flaw.
Cataloged as CVE-2023-26359, with a CVSS score of 9.8, this vulnerability pertains to a deserialization issue found in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier). Exploiting this flaw could allow for arbitrary code execution within the context of the current user, without requiring any user interaction.
The process of deserialization, also known as unmarshaling, involves reconstructing a data structure or object from a byte stream. If this process occurs without proper validation of the data’s source or without sanitization of its contents, it can lead to serious security implications, including code execution and denial-of-service (DoS) attacks.
This vulnerability was addressed by Adobe in March 2023 with a security patch. However, as of this report, there is limited information available regarding how this flaw is being actively exploited in the field.
The timing of this announcement is particularly noteworthy, coming over five months after CISA identified another vulnerability affecting the same Adobe product (CVE-2023-26360) in the KEV catalog. Adobe has acknowledged awareness of exploitation attempts involving this recent vulnerability, though they have described these efforts as being confined to “very limited attacks.”
Given the ongoing exploitation of this vulnerability, it is imperative for Federal Civilian Executive Branch (FCEB) agencies to implement necessary patches by September 11, 2023, to safeguard their networks against potential threats.
