CVE-2023-26360
Published: 23 March 2023
Summary
CVE-2023-26360 is a high-severity Improper Access Control (CWE-284) vulnerability in Adobe Coldfusion. Its CVSS base score is 8.6 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
Adobe ColdFusion versions 2018 Update 15 and earlier, along with versions 2021 Update 5 and earlier, contain an Improper Access Control vulnerability tracked as CVE-2023-26360. The flaw permits arbitrary code execution in the context of the current user and carries a CVSS 3.1 score of 8.6 reflecting network attack vector, low complexity, no required privileges or user interaction, and changed scope with high confidentiality impact.
An unauthenticated attacker can exploit the issue remotely over the network to achieve code execution without any user interaction, directly targeting exposed ColdFusion instances.
Adobe’s security bulletin APSB23-25 addresses the vulnerability and directs administrators to apply the listed updates for the affected ColdFusion releases. The issue also appears in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild, while public proof-of-concept code has been posted to Packet Storm.
EPSS scores have remained consistently high, reaching a peak of 0.9652 with a current value of 0.9433.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-30181
Vulnerability details
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue…
more
does not require user interaction.
- CWE(s)
- KEV Date Added
- 15 March 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access-control decisions on ColdFusion endpoints so that unauthenticated requests cannot reach code-execution paths.
Boundary-protection mechanisms can deny or limit network traffic to the ColdFusion administrative interfaces that the flaw exposes.
Requires prompt installation of the vendor patches that close the improper-access-control flaw before exploitation occurs.