Authorities urge Adobe ColdFusion customers to promptly install patches and update their systems.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Cybersecurity Advisory (CSA) alerting organizations to the exploitation of a critical vulnerability in Adobe ColdFusion by unidentified threat actors.
The vulnerability, CVE-2023-26360, affects Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier), as well as older ColdFusion installations that Adobe no longer supports.
Exploitation of CVE-2023-26360 allows threat actors to execute arbitrary code on affected systems, posing a significant security risk. The vulnerability was added to CISA’s known exploited vulnerability (KEV) catalogue right after its discovery, and an April 5 deadline was given to agencies to fix the issue.
Adobe ColdFusion is a widely used software suite for web application development. Hackread has been reporting this vulnerability ever since it was discovered in March. We reported in August 2023 that this critical remote code execution (RCE) flaw, which impacts both Windows and macOS platforms, allows attackers to seize control of affected systems, making it a high-severity cybersecurity risk. Adobe released security patches to address the following vulnerabilities:
- APSB23-40
- APSB23-41
- APSB23-47
However, FortiGuard Labs observed continued exploitation attempts at that time, indicating that some users had not yet applied the patches.
Now, the same vulnerability has been exploited by unidentified hackers to gain access to two systems within a Federal Civilian Executive Branch (FCEB) agency. Reportedly, the FCEB was running outdated versions, including ColdFusion, which made it vulnerable to the exploit. The hackers were able to gain initial access to two public-facing web servers within the agency’s pre-production environment.
At least two public-facing servers within a Federal Civilian Executive Branch (FCEB) agency were targeted with this vulnerability between June and July 2023. Here are the details of the attacks:
June 2: Initial access, reconnaissance activities (local/domain admin information, network configurations, user details), and deployment of a remote access trojan (RAT). Attempts to exfiltrate data, obtain credentials, download data from C2 infrastructure, and change policies were unsuccessful.
June 26: Attackers connected through a malicious IP address, exploited the vulnerability, and analysed running processes. They navigated the filesystem, deleted logs, and executed malicious code designed for ColdFusion versions 9 and below (targeting usernames, passwords, and URLs).
The code could enable future attacks and upload additional files from an unknown source. Password decryption was not possible due to the agency’s newer ColdFusion version. Attempts to conceal the web shell also failed.
While the hackers could insert malware and launch a reconnaissance campaign, there is no evidence of data exfiltration or lateral movement. The agency removed the compromised servers from the network within 24 hours of receiving the alert. CISA is yet to clarify whether the two attacks originated from the same operators.