CISA warns of critical Adobe ColdFusion flaw (CVE-2023-26359) exploited in the wild

The Cybersecurity & Infrastructure Security Agency (CISA), a key player in ensuring America’s cyber front remains secure, has drawn attention to a severe security vulnerability affecting Adobe ColdFusion versions 2021 and 2018. The flaw, designated CVE-2023-26359, is no minor concern. With a CVSS (Common Vulnerability Scoring System) score of a whopping 9.8 out of 10, this issue should be on every administrator’s radar.

The CVE-2023-26359 vulnerability is caused by the deserialization of untrusted data. This means that an attacker could persuade a victim to open a specially crafted file, which would then exploit the vulnerability and allow the attacker to execute arbitrary code on the system.


Adobe, aware of the gravity of the situation, has already addressed this critical flaw in ColdFusion 2018 Update 16 and ColdFusion 2021 Update 6. It’s crucial for administrators to not only install these updates but to follow the security configuration settings detailed in the ColdFusion 2018 and ColdFusion 2021 lockdown guides. Time is of the essence, and with vulnerabilities as severe as this one, delays can be costly.

Highlighting the significance of this vulnerability, CISA has mandated all U.S. Federal Civilian Executive Branch Agencies (FCEB) to fortify their systems against potential attacks exploiting this flaw. And they’re not given much time: the deadline stands firm at September 11.

CISA’s statement makes it clear: “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” It’s not just about one software or one vulnerability; it’s a wake-up call for agencies, businesses, and individuals alike.

If you are using Adobe ColdFusion, it is important to take steps to protect your systems from this vulnerability. By installing the security updates and applying the recommended security configuration settings, you can help to reduce the risk of attack.