Adobe ColdFusion Vulnerability Added to CISA Known Exploited Catalog - 20230822001

Overview

CISA has added CVE-2023-26359 to their Known Exploited Vulnerability Catalog.

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

What is the vulnerability?

• CVE-2023-26359 - CVSS v3 Base Score: 9.8

What is vulnerable?

The vulnerability exists in the following products:

• ColdFusion 2018: Update 15 and earlier versions
• ColdFusion 2021: Update 5 and earlier versions

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of two weeks. (refer to Patch Management):

• https://helpx.adobe.com/au/security/products/coldfusion/apsb23-25.html

Additional Resources

• https://nvd.nist.gov/vuln/detail/CVE-2023-26359