The flaw in question is CVE-2023-26360, with a CVSS score of 8.6. The vulnerability can be exploited by threat actors to achieve arbitrary code execution.
Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution,
The vulnerability affects ColdFusion 2021 and ColdFusion 2018 (Update 15 and previous versions) (Update 5 and earlier versions). Versions Update 16 and Update 6, both issued on March 14, 2023, both address it.
It is worth noting that the flaw also affects ColdFusion 2016 and ColdFusion 11, both of which are no longer supported by the software company.
Adobe said in a security advisory issued Tuesday that the vulnerability has been exploited in “very limited attacks”.
Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.
Charlie Arehart, the security researcher credited alongside Pete Freitag for discovering the vulnerability describes it as a “grave” issue that could result in “arbitrary code execution” and “arbitrary file system read”.
I will say that in my own opinion this security fix is far more important than the wording of this blog post suggests and even that the update technotes would suggest.
Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.