[unable to retrieve full-text content]Federal agency breached through Adobe ColdFusion vulnerability  The Record from Recorded Future News Source link

[unable to retrieve full-text content]CISA details twin attacks on federal servers via unpatched ColdFusion flaw  The Register Source link

[unable to retrieve full-text content]Critical Vulnerability in Adobe ColdFusion Exploited by Hackers …  CityLife Source link

[unable to retrieve full-text content]Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial …  CISA Source link

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about hackers actively exploiting a critical vulnerability in Adobe ColdFusion identified as CVE-2023-26360 to gain initial access to government servers. The security issue allows executing arbitrary code on servers running  Adobe ColdFusion 2018 Update 15 and older, and 2021 Update 5 and earlier. It was exploited as a zero day before Adobe fixed it in mid-March by releasing ColdFusion 2018 Update 16 and 2021 Update 6. At the time, CISA published a notice about threat actors exploiting the flaw and urged federal organizations and state services to apply the available security updates. In an alert today, America’s Cyber Defense Agency warns that CVE-2023-26360 is still leveraged in attacks, showcasing… Source link

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about hackers actively exploiting a critical vulnerability in Adobe ColdFusion identified as CVE-2023-26360 to gain initial access to government servers. The security issue allows executing arbitrary code on servers running  Adobe ColdFusion 2018 Update 15 and older, and 2021 Update 5 and earlier. It was exploited as a zero day before Adobe fixed it in mid-March by releasing ColdFusion 2018 Update 16 and 2021 Update 6. At the time, CISA published a notice about threat actors exploiting the flaw and urged federal organizations and state services to apply the available security updates. In an alert today, America’s Cyber Defense Agency warns that CVE-2023-26360 is still leveraged in attacks,… Source link

Unknown attackers exploited a known access control vulnerability in two Adobe ColdFusion application servers at a federal government agency in June, gaining access to the environment, uploading a webshell, and adding malicious code to the servers. There were two separate incidents at the unnamed agency in June, and according to a new advisory from the Cybersecurity and Infrastructure Security Agency the attacks may be the work of one group or two separate groups. The intrusions appeared to be focused on reconnaissance and mapping out the network infrastructure, and CISA said there is no evidence that data was exfiltrated during the intrusions. In both instances, the attackers exploited CVE-2023-26360 in ColdFusion, a bug that Adobe released a fix for in March. “In both… Source link

CISA has released details about a federal agency that recently had at least two public-facing servers compromised by attackers exploiting a critical Adobe ColdFusion vulnerability. The vulnerability, tracked as CVE-2023-26360, was disclosed in March and was shortly after added to CISA’s known exploited vulnerability (KEV) catalog, setting an April 5 deadline for agencies to fix the issue. In a Tuesday advisory, CISA revealed the federal civilian executive branch (FCEB) in question was successfully attacked in June and into July, meaning the vulnerability went unpatched for more than three months after CISA’s deadline.  CISA did not respond to questions about whether the agency has now patched the vulnerability,… Source link

[unable to retrieve full-text content]Hackers breach US govt agencies using Adobe ColdFusion exploit  BleepingComputer Source link

CISA has released details about a federal agency that recently had at least two public-facing servers compromised by attackers exploiting a critical Adobe ColdFusion vulnerability. The vulnerability, tracked as CVE-2023-26360, was disclosed in March and was shortly after added to CISA’s known exploited vulnerability (KEV) catalog, setting an April 5 deadline for agencies to fix the issue. In a Tuesday advisory, CISA revealed the federal civilian executive branch (FCEB) in question was successfully attacked in June and into July, meaning the vulnerability went unpatched for more than three months after CISA’s deadline.  CISA did not respond to questions about whether the agency has now patched the vulnerability, who was behind the attack, or its stance on the missed… Source link