Critical Adobe ColdFusion Flaw Added to CISA’s Exploited Vulnerability Catalog


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability, cataloged as CVE-2023-26359 (CVSS score: 9.8), relates to a deserialization flaw present in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier) that could result in arbitrary code execution in the context of the current user without requiring any interaction.

Deserialization (aka unmarshaling) refers to the process of reconstructing a data structure or an object from a byte stream. But when it’s performed without validating its source or sanitizing its contents, it can lead to unexpected consequences such as code execution or denial-of-service (DoS).

It was patched by Adobe as part of updates issued in March 2023. As of writing, it’s immediately not clear how the flaw is being abused in the wild.

Read more…