CISA ColdFusion Advisory
The US Cybersecurity and Infrastructure Security Agency (CISA) has published a cybersecurity advisory confirming the exploitation of an improper access control vulnerability in Adobe ColdFusion. The vulnerability (CVE-2023-26360) was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on March 15 with a mitigation date of April 5.Threat actors used the vulnerability to compromise servers at a federal civilian executive branch (FCEB) agency. The advisory includes tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs) and recommendations for detection and protection.
It’s time to bid adieu to Cold Fusion. CVE-2023-26360, CVSS score of 8.6, is being actively exploited and is present in older ColdFusion 2016 and ColdFusion 11 which are unsupported as well as the 2018 and 2021 versions which have updates. If you can’t migrate off, look to add a WAF in front as well as implementing signed executable policies, in addition to MFA and aggressive patch management.