Prevent and detect Adobe ColdFusion exploitation (CVE-2023-26360, CVE-2023-26359)

When Adobe released security updates for its ColdFusion application development platform last month, it noted that one of the vulnerabilities (CVE-2023-26360) had been exploited in the wild “in very limited attacks.”

Were your servers among those hit? And what should you do if they were?

About CVE-2023-26360 (and CVE-2023-26359)

CVE-2023-26360 is an improper access control vulnerability that could result in arbitrary code execution in the context of the current user, and was reported to Adobe by security consultants Charlie Arehart and Pete Freitag.

Soon after Adobe released the security bulletin and the security updates, the US CISA added CVE-2023-26360 to its Known Exploited Vulnerabilities (KEV) catalog, and set up a deadline for federal civilian executive branch agencies to remediate it by April 5, 2023.

But as Arehart explained, the urgency of the update might not have been grasped by some.

The security updates fixed CVE-2023-26360 and two other flaws – CVE-2023-26359 and CVE-2023-26361 – that could lead to arbitrary code execution, arbitrary file system read, and memory leak.

“In my own opinion this security fix is far more important than the wording of [the Adobe blog post] suggests and even that the update technotes would suggest. To be clear, I HAVE personally seen both the ‘arbitrary code execution’ and ‘arbitrary file system read’ vulnerabilities having been perpetrated on multiple servers, and it IS grave,” he noted.

So he compiled his own extensive write-up to help defenders determine whether someone has exploited those flaws to compromise their servers.

Patch if you haven’t already!

On Monday, Rapid7 added to its AttackerKB project a root cause analysis for CVE-2023-26359 and CVE-2023-26360 and PoCs for using them to trigger arbitrary code execution and file read, and to achieve unauthenticated remote code execution.

“[CVE-2023-26359] was reported exploited in the wild as CVE-2023-26360 but the root cause appears to be the deserialization of untrusted data via CVE-2023-26359,” noted Stephen Fewer, Principal Security Researcher at Rapid7, and announced the imminent availability of a Metasploit module for it.

With all this in mind, if you’re using Adobe ColdFusion to develop and deploy web or mobile apps or generate remote services and you haven’t updated your servers to ColdFusion 2018 Update 16 or ColdFusion 2021 Update 6, now is high time time to do it.

UPDATE (April 17, 2023, 04:50 a.m. ET):

Adobe has revised the security advisory and re-classified CVE-2023-26360 from an improper access control vulnerability to a deserialization of untrusted data vulnerability.