Unknown attackers have leveraged a critical vulnerability (CVE-2023-26360) in the Adobe ColdFusion application development platform to access government servers, the Cybersecurity and Infrastructure Security Agency (CISA) has shared.
About the exploited vulnerability
CVE-2023-26360 is a deserialization of untrusted data vulnerability that could lead to arbitrary code execution.
Adobe disclosed and fixed the flaw in mid-March 2023, and said that it was “aware that CVE-2023-26360 has been exploited in the wild in very limited attacks”.
CVE-2023-26360 affected Adobe ColdFusion versions 2021, 2018, 2016 and 11, but Adobe provided patches only for the former two, as ColdFusion 2016 and 11 had previously reached the end of their (product) lifecycle.
CISA added the…
Source link