Cyber Resilience

CVE-2023-26359

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 23 March 2023

Published
23 March 2023
Modified
23 October 2025
KEV Added
21 August 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7906 99.1th percentile
Risk Priority 87 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-26359 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

Adobe ColdFusion 2018 Update 15 and earlier, along with 2021 Update 5 and earlier, contain a deserialization of untrusted data flaw tracked as CVE-2023-26359 and CWE-502. The vulnerability permits an attacker to supply crafted serialized data that the application processes without sufficient validation, resulting in arbitrary code execution under the privileges of the ColdFusion process.

An unauthenticated remote attacker can exploit the issue over the network without any user interaction or credentials. Successful exploitation grants full control over the affected server, including the ability to read, modify, or delete data and execute operating-system commands in the context of the running user.

Adobe addressed the flaw in security bulletin APSB23-25, which supplies updated builds for both ColdFusion branches. The vulnerability also appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild activity. The associated EPSS score has reached a peak of 0.8679 and currently stands at 0.7906.

EU & UK References

Vulnerability details

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this…

more

issue does not require user interaction.

CWE(s)
KEV Date Added
21 August 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
coldfusion
2018, 2021

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of all input data before deserialization, directly blocking the unauthenticated malicious serialized payloads that trigger arbitrary code execution in ColdFusion.

preventdetect

Deploys malicious-code detection mechanisms that can identify and block the code-execution payloads delivered via the deserialization flaw.

detect

Performs integrity verification on software and data, enabling detection of unauthorized code or objects introduced through untrusted deserialization.

References