CISA: Adobe ColdFusion flaw leveraged to access government servers (CVE-2023-26360)

Unknown attackers have leveraged a critical vulnerability (CVE-2023-26360) in the Adobe ColdFusion application development platform to access government servers, the Cybersecurity and Infrastructure Security Agency (CISA) has shared.

About the exploited vulnerability

CVE-2023-26360 is a deserialization of untrusted data vulnerability that could lead to arbitrary code execution.

Adobe disclosed and fixed the flaw in mid-March 2023, and said that it was “aware that CVE-2023-26360 has been exploited in the wild in very limited attacks”.

CVE-2023-26360 affected Adobe ColdFusion versions 2021, 2018, 2016 and 11, but Adobe provided patches only for the former two, as ColdFusion 2016 and 11 had previously reached the end of their (product) lifecycle.

CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog the day after, and set the deadline for implementing the fix on April 5.

(Under Binding Operational Directive (BOD) 22-01, all FCEB agencies must remediate vulnerabilities in the KEV catalog within prescribed timeframes.)

The incidents

CISA has revealed that CVE-2023-26360 has been exploited by unknown attackers to target a Federal Civilian Executive Branch (FCEB) agency between June and July 2023.

In two separate attacks, the attackers managed to compromise at least two public-facing servers that were running outdated software versions – one was running Adobe ColdFusion v2021.0.0.2 and the other v2016.0.0.3.

In the first attack, in early June, the attackers performed many reconnaissance actions: they enumerated domain trusts, collected information about local and domain administrative user accounts and the network configuration.

They also dropped a remote access trojan (RAT), and tried (but failed) to exfiltrate Registry files and security account manager (SAM) information.

“The SAM Registry file may allow for malicious actors to obtain usernames and reverse engineer passwords; however, no artifacts were available to confirm that the threat actors were successful in exfiltrating the SAM Registry hive,” the agency explained.

On June 26, 2023, attackers accessed another public-facing web server running Adobe ColdFusion, and again engaged in reconnaissance: they enumerated running processes, checked network connectivity, collected information about the web server and the OS, and checked for the presence of ColdFusion versions 2018 and 2016.

They uploaded various files to the web server and tried to execute code aimed at extracting username, password, and data source URLs.

“Threat actors created various files in the C:\IBM directory using the initialization process coldfusion.exe. None of these files were located on the server (possibly due to threat actor deletion) but are assessed as likely threat actor tools. Analysts assessed the C:\IBM directory as a staging folder to support threat actors’ malicious operations,” the agency added.

Both incidents have been identified and blocked and there is no evidence of data exfiltration or lateral movement. CISA says they don’t know if the same or different threat actors were behind each incident.

The security advisory provides indicators of compromise (IoCs), tactics, techniques, and procedures (TTPs), and detection and protection methods for enterprise defenders, as well as mitigation advice.