Organizations are being cautioned by the US Cybersecurity and Infrastructure Security Agency (CISA) about attacks that make use of a vulnerability in Adobe ColdFusion that was patched earlier this year.The mentioned vulnerability is identified as CVE-2023-26359 and was added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on Monday.
According to CISA, "These vulnerabilities pose significant risks to the federal enterprise and are frequently used as attack vectors by malicious cyber actors."
CVE-2023-26359, addressed by Adobe with its March 2023 Patch Tuesday updates, is a severe data deserialization flaw that can be used to execute arbitrary code.
Government agencies are required by CISA to fix the vulnerability by September 11. According to the Binding Operational Directive (BOD) 22-01, which aims to reduce the risk presented by known exploitable vulnerabilities, government organizations are required to fix faults that are added to the catalog.
Twelve ColdFusion vulnerabilities, including four found this year, are now included in the CISA KEV catalog. Attacks have been chained together on a few of these security flaws.
There doesn't seem to be any information on the attacks that use CVE-2023-26359, but it is known that several threat actors have used Adobe ColdFusion vulnerabilities in their activities.
0 Comments