coldfusion vulnerability

Adobe Coldfusion vulnerability used in attacks on government servers

The Cybersecurity and Infrastructure Security Agency (CISA) put out a Cybersecurity Advisory (CSA) to alert government agencies about cybercriminals using a vulnerability in Adobe Coldfusion to gain initial access to servers.

Adobe ColdFusion is a platform for building and deploying web and mobile applications. It can often be found on internet-facing servers.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The exploited vulnerability is listed as CVE-2023-26360, which affects Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). The vulnerability is an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

A patch for this vulnerability has been available since March 14, 2023. As we reported at the time, Adobe stated it was aware  that CVE-2023-26360 had been exploited in the wild in very limited attacks.

The due date for patching the vulnerability set by CISA was April 5, 2023. The problem is that the vulnerability also affects ColdFusion 2016 and ColdFusion 11 installations, which have reached end-of-life (EOL) and are no longer supported with security patches.

According to the CSA, CISA now has confirmation that the vulnerability has been used in attacks on two Federal Civilian Executive Branch (FCEB). An analysis of network logs has reportedly confirmed the compromise of at least two public-facing servers within agencies’ environments between June and July 2023. Both servers were running outdated versions of the software that were vulnerable due to several unpatched flaws.

The investigation learned that it was a reconnaissance attack, and there was no evidence of data theft or lateral movement in the network. After initial access, the criminals started process enumeration to obtain currently running processes on the web server and performed a network connectivity check, likely to confirm their connection was successful.

In the CSA, CISA shares several indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used in the two attacks. It is not clear whether they were done by the same threat actor.


CISA recommends organizations:

  • Upgrade all versions affected by this vulnerability.
  • Prioritize remediation of vulnerabilities on internet-facing systems.
  • Prioritize secure-by-default configurations, such as eliminating default passwords and implementing single sign-on (SSO) technology via modern open standards.
  • Employ proper network segmentation, to separate internet-facing servers from systems that are crucial or contain sensitive information.
  • Deploy application-aware network defenses to block improperly formed traffic and restrict content.

And a lot of other security measures that are less threat-specific.

From our end we’d like to add:

  • Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.
  • Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.
  • Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
  • Stop malicious encryption. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
  • Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
  • Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.