Critical Adobe ColdFusion Flaw Added to CISA's Exploited Vulnerability Catalog

Cyber Security Threat Summary:
CISA has added a critical flaw in Adobe ColdFusion to its catalog of actively exploited vulnerabilities. Tracked as CVE-2023-26359, the flaw relates to a deserialization bug residing in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier). “Deserialization (aka unmarshaling) refers to the process of reconstructing a data structure or an object from a byte stream. But when it's performed without validating its source or sanitizing its contents, it can lead to unexpected consequences such as code execution or denial-of-service (DoS)” (The Hacker News, 2023).

Security Officer Comments:
No details have been released regarding how the flaw is being abused in the wild. According to Adobe, the vendor stated that it is aware of the bug being exploited in very limited attacks targeting systems running ColdFusion.

It seems as though CVE-2023-26359 can be exploited in low-complexity attacks. As such a threat actor can execute remote arbitrary code without requiring user interaction.

Suggested Correction(s):
CVE-2023-26359 was patched back on March 14, 2023, with the release of ColdFusion 2018 and ColdFusion 2021. CISA is giving federal agencies until September 11, 2023, to apply the necessary patches and secure their systems.