CVE-2023-26360 – Adobe ColdFusion Arbitrary Code Execution

On March 14, 2023, Adobe released a security advisory affecting Adobe ColdFusion versions 2021 and 2018.

The vulnerability was categorized as improper access control, potentially resulting in arbitrary code execution. The exploitation of this issue does not require user interaction. 

No PoC has been released so far, however, after further investigation, the Imperva Threat Research team created effective mitigation against this vulnerability.

Over the past few days, we observed hundreds of exploitation attempts successfully thwarted by Imperva Cloud WAF and Imperva WAF Gateway (customer-managed WAF).

Most exploitation attempts were carried out by automated hacking tools written in the Go programming language.

The attackers tried to read sensitive files from the ColdFusion servers like:

  • Neo-runtime.xml
  • Seed.properties
  • Password.properties

We also observed attempts to upload a malicious web shell onto the servers. 

These files were stored as text, however, once uploaded to the server, it was converted into a CFM script that could result in remote code execution.

Given existing blocking rules that mitigate the CVE-2023-26360 Adobe ColdFusion vulnerability, this new CVE is mitigated by both Imperva Cloud WAF and Imperva WAF Gateway.

As always, Imperva​​ Threat Research is monitoring the situation and will provide updates as new information emerges.

The post CVE-2023-26360 – Adobe ColdFusion Arbitrary Code Execution appeared first on Blog.