Adobe ColdFusion Vulnerability Alert | March 2023

There are critical vulnerabilities in Adobe ColdFusion. Here's what you need to know.

Background

Adobe released an advisory detailing critical security flaws (CVE-2023-26359 & CVE-2023-26360) in their ColdFusion product, often used for web application development and delivery. The vulnerabilities allow for an unauthenticated attacker to execute arbitrary code or commands. Adobe reports at least one of the flaws is being actively exploited. Security patches have been released and should be applied as soon as possible.

Impact

The vulnerabilities affect the following Adobe ColdFusion products and versions:

Product

Update number

Platform

ColdFusion 2018

Update 15 and earlier versions    

All

ColdFusion 2021

Update 5 and earlier versions

All

 

Attackers can execute arbitrary code or commands against unpatched devices, gaining a foothold into the network. From there the attacker would be able to conduct further exploitation and potentially move around the network.

Next Steps

Download and install the latest version of the affected products: