CVE-2023-26359
Published: 23 March 2023
Summary
CVE-2023-26359 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
Adobe ColdFusion 2018 Update 15 and earlier, along with 2021 Update 5 and earlier, contain a deserialization of untrusted data flaw tracked as CVE-2023-26359 and CWE-502. The vulnerability permits an attacker to supply crafted serialized data that the application processes without sufficient validation, resulting in arbitrary code execution under the privileges of the ColdFusion process.
An unauthenticated remote attacker can exploit the issue over the network without any user interaction or credentials. Successful exploitation grants full control over the affected server, including the ability to read, modify, or delete data and execute operating-system commands in the context of the running user.
Adobe addressed the flaw in security bulletin APSB23-25, which supplies updated builds for both ColdFusion branches. The vulnerability also appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild activity. The associated EPSS score has reached a peak of 0.8679 and currently stands at 0.7906.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-30180
Vulnerability details
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this…
more
issue does not require user interaction.
- CWE(s)
- KEV Date Added
- 21 August 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of all input data before deserialization, directly blocking the unauthenticated malicious serialized payloads that trigger arbitrary code execution in ColdFusion.
Deploys malicious-code detection mechanisms that can identify and block the code-execution payloads delivered via the deserialization flaw.
Performs integrity verification on software and data, enabling detection of unauthorized code or objects introduced through untrusted deserialization.