Known Exploited Vulnerability in Adobe ColdFusion - 20231206002¶
Overview¶
Adobe has released security updates for known exploited vulnerability in ColdFusion products affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.
What is the vulnerability?¶
CVE-2023-26360 - CVSS v3 Base Score: 8.6
What is vulnerable?¶
The vulnerability affects the following products:
- Adobe ColdFusion versions 2018 Update 15 (and earlier)
- Adobe ColdFusion versions 2021 Update 5 (and earlier)
- Also affects Adobe ColdFusion 2016 and ColdFusion 11 installations; however, they are no longer supported since they reached end of life.
What has been observed?¶
The vulnerability is known to be exploited in the wild in very limited attacks targeting Adobe ColdFusion. There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month (refer Patch Management):