There are critical vulnerabilities in Adobe ColdFusion. Here's what you need to know.
Background
Adobe released an advisory detailing critical security flaws (CVE-2023-26359 & CVE-2023-26360) in their ColdFusion product, often used for web application development and delivery. The vulnerabilities allow for an unauthenticated attacker to execute arbitrary code or commands. Adobe reports at least one of the flaws is being actively exploited. Security patches have been released and should be applied as soon as possible.
Impact
The vulnerabilities affect the following Adobe ColdFusion products and versions:
Product |
Update number |
Platform |
ColdFusion 2018 |
Update 15 and earlier versions |
All |
ColdFusion 2021 |
Update 5 and earlier versions |
All |
Attackers can execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network.