Threat Actors Exploit Adobe ColdFusion Vulnerability (CVE-2023-26360), CISA Warns

The cybersecurity landscape is once again under siege, this time from a critical vulnerability in Adobe ColdFusion, impacting versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). Identified as CVE-2023-26360, this flaw has been exploited by threat actors for initial access to government servers, as confirmed by the Cybersecurity and Infrastructure Security Agency (CISA) in a detailed advisory released on December 5, 2023.

CVE-2023-26360 presents as an improper access control issue that can result in arbitrary code execution. This vulnerability has been exploited by unidentified attackers at a Federal Civilian Executive Branch (FCEB) agency, leading to the compromise of at least two public-facing servers between June and July 2023. The exploitation of this vulnerability can lead to severe consequences, including unauthorized access and control over sensitive data.

CVE-2023-26360 exploit

The CISA advisory details two separate incidents where CVE-2023-26360 was exploited. In the first incident, attackers established a foothold on a public-facing web server running an outdated version of Adobe ColdFusion. In the second incident, a similar pattern of exploitation was observed, but this time involving a different public-facing server. Both incidents highlight the risks associated with not updating to the latest software versions.

The attackers used sophisticated TTPs, including the deployment of various web shells and remote access trojans (RATs), to maintain persistence on the compromised servers. They also attempted to exfiltrate sensitive data and explore lateral movement opportunities within the network. These incidents underscore the importance of robust network defenses and the need for continuous monitoring of network activities.

In response to these incidents, CISA has outlined several mitigation strategies for organizations to implement. These include upgrading all affected versions of Adobe ColdFusion, employing proper network segmentation, enabling multifactor authentication (MFA), and implementing the principle of least privilege. These measures are crucial to safeguard against similar exploitation attempts.

CVE-2023-26360 exploitation serves as a stark reminder of the ever-present cyber threats and the need for vigilance and proactive cybersecurity measures. Organizations must prioritize patching known vulnerabilities, continuously monitor their networks for suspicious activities, and implement robust security controls to protect their critical infrastructure.