CISA Alert: Ongoing Adobe ColdFusion Vulnerability Exploitation in Government Servers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerts to the ongoing exploitation of a critical vulnerability in Adobe ColdFusion, known as CVE-2023-26360, aimed at gaining initial access to government servers.

This security concern permits the execution of arbitrary code on servers operating Adobe ColdFusion 2018 Update 15 and older, as well as 2021 Update 5 and earlier. The vulnerability was exploited as a zero-day until Adobe addressed it mid-March with ColdFusion 2018 Update 16 and 2021 Update 6 releases.

Despite the fix, CISA warns that CVE-2023-26360 is still being exploited. Incidents in June affected two federal agency systems, with threat actors leveraging the vulnerability to drop malware using HTTP POST commands to the ColdFusion-associated directory path.

CISA reveals that both incidents involved servers running outdated software versions vulnerable to various CVEs. In the first incident on June 26, the attackers exploited the critical vulnerability to breach a server running Adobe ColdFusion v2016.0.0.3. They conducted process enumeration, and network checks, and installed a web shell (config.jsp), enabling them to insert code into a ColdFusion configuration file and extract credentials.

Tools the attacker used in the first attack (CISA)

The second incident on June 2 saw hackers exploiting CVE-2023-26360 on a server running Adobe ColdFusion v2021.0.0.2. The attackers gathered user account information, dropped a text file decoded as a remote access trojan (d.jsp), and attempted to exfiltrate Registry files and security account manager (SAM) information.

Both attacks were detected and blocked before data exfiltration or lateral movement occurred. CISA categorizes the attacks as reconnaissance efforts, but it remains uncertain if the same threat actor is responsible for both intrusions.

To mitigate the risk, CISA advises upgrading ColdFusion to the latest version, implementing network segmentation, setting up a firewall or WAF, and enforcing signed software execution policies.

Share the article with your friends

William Marshal

William has been one of the key contributors to 'The Cybersecurity Times' with 9.5 years of experience in the cybersecurity journalism. Apart from writing, he also like hiking, skating and coding.