Pierluigi Paganini December 06, 2023

The U.S. CISA warns that threat actors are actively exploiting a critical vulnerability in Adobe ColdFusion to breach government agencies.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about threat actors actively exploiting a critical vulnerability (CVE-2023-26360) in Adobe ColdFusion to breach government agencies.

The flaw is an Improper Access Control that can allow a remote attacker to execute arbitrary code. The vulnerability could also lead to arbitrary file system read and memory leak.

The vulnerability impacts Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier).

In March 2023, threat actors exploited the vulnerability in attacks against government agencies. At the time the flaw was a zero-day and U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the critical vulnerability CVE-2023-26360 (CVSS score: 8.6) to its Known Exploited Vulnerabilities Catalog.

The US Cyber Defense Agency is now warning that threat actors are still exploiting the flaw CVE-2023-26360 in attacks. The Agency revealed that the attacks breached two federal agency systems in June.

The impacted servers were both running outdated versions of software.

The attackers dropped malware using HTTP POST commands to the directory path associated with ColdFusion.

“In June 2023, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two agency systems in two separate instances. In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software which are vulnerable to various CVEs.” reads the alert published by US CISA. “Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion.”

The experts believe that the exploitation was part of a reconnaissance activity conducted by the threat actor.  

The first incident took place as early as June 26, 2023, the threat actors exploited the flaw to breach a web server running Adobe ColdFusion v2016.0.0.3.

The second incident took place as early as June 2, 2023, the threat actors exploited the flaw to breach a web server running Adobe ColdFusion v2021.0.0.2.

There is no evidence of successful data exfiltration or lateral movement during either incident. The impacted agencies were able to lock out the attackers within 24 hours.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)