The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging immediate action from federal agencies to address a critical vulnerability in Adobe ColdFusion, CVE-2023-26360, actively exploited by hackers to gain initial access to government servers.
This vulnerability, present in ColdFusion versions 2018 Update 15 and older, and 2021 Update 5 and earlier, allows attackers to execute arbitrary code on affected systems. Before Adobe patched the flaw in mid-March with ColdFusion 2018 Update 16 and 2021 Update 6, it was exploited as a zero-day attack.
CISA says that the threat actors leveraged the vulnerability to drop malware using HTTP POST commands to the directory path associated with ColdFusion.
To mitigate the risk, CISA recommends upgrading ColdFusion to the latest available version, applying network segmentation, setting up a firewall or WAF, and enforcing signed software execution policies.
