CVE-2023-26360: Adobe ColdFusion Servers Exploited for Initial Access

On December 5, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on actively exploited Adobe ColdFusion CVE-2023-26360 vulnerability [1]. The vulnerability allows adversaries to gain initial access to public-facing Adobe ColdFusion web servers.  CVE-2023-26360 has a CVSS score of 9.8 (Critical) and is actively being exploited by cyber threat actors.

In this blog, we explained the Adobe ColdFusion CVE-2023-26360 vulnerability and how organizations can defend against CVE-2023-26360 attacks.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Adobe ColdFusion CVE-2023-26360 Vulnerability Explained

Adobe ColdFusion is a commercial web application development platform that is used to build web applications and services. The platform uses a proprietary language called ColdFusion Markup Language (CFML) to create dynamic and interactive web applications. The application itself is built using Java.

In March 2023, Adobe disclosed a vulnerability affecting Adobe ColdFusion 20218 and 2021. When exploited, the CVE-2023-26360 vulnerability results in arbitrary code execution, and it does not require user interaction. The vulnerability stems from improper access control and has a CVSS score of 9.8 (Critical).

The CVE-2023-26360 vulnerability affects the Adobe products given below.

In their advisory, CISA confirmed that threat actors exploited the CVE-2023-26360 in two incidents and gained initial access to a Federal Civilian Executive Branch (FCEB) agency. Since proof-of-concept exploits are publicly available, organizations are advised to patch their vulnerable Adobe ColdFusion servers as soon as possible.

How Adobe CVE-2023-26360 Exploit Works?

At its core, CVE-2023-26360 is an improper access control vulnerability caused by deserializing untrusted data without proper validation. When an attacker crafts a malicious HTTP request with “_cfclient=true” in the URL, the Adobe ColdFusion server invokes the “convertToTemplateProxy” function and deserializes the malicious JSON input provided by the attacker. Adversaries use this method for different purposes, such as arbitrary code execution, arbitrary file read, and remote code execution.

Adobe ColdFusion CVE-2023-26360 Vulnerability Exploit Example

In their advisory, CISA mentioned that threat actors were able to upload a webshell and a remote access trojan (RAT) to the victim's server to establish persistence. 

How Picus Helps Simulate Adobe ColdFusion CVE-2023-26360 Attacks?

We also strongly suggest simulating the Adobe ColdFusion CVE-2023-26360 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Follina, Citrix Bleed, and Looney Tunables, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Adobe ColdFusion CVE-2023-26360 vulnerability exploitation attacks:

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Adobe ColdFusion CVE-2023-26360 vulnerability and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Adobe ColdFusion CVE-2023-26360 vulnerability:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of the Picus Complete Security Validation Platform.

References

[1] “Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers,” Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a. [Accessed: Dec. 06, 2023]