LR pixel

FortiGuard Labs is aware of a report that an improper access control vulnerability in Adobe ColdFusion (CVE-2023-26360) was observed to have been exploited in the wild. Unauthenticated attackers can exploit the vulnerability to achieve arbitrary code execution on a remote machine. On March 15th, CISA added CVE-2023-26360 to the Known Exploited Vulnerability catalog.Why is this Significant?This is significant because Adobe reported that an improper access control vulnerability in Adobe ColdFusion (CVE-2023-26360) was exploited in the wild. CISA also added the vulnerability to the Known Exploited Vulnerability catalog. As such the patch needs to be applied as soon as possible.What is CVE-2023-26360?CVE-2023-26360 is an improper access control vulnerability that affects ColdFusion 2021 version 5 and prior as well as ColdFusion 2018 version 15 and prior. Unauthenticated attackers can exploit the vulnerability to achieve arbitrary code execution on a remote machine.Is CVE-2023-26360 being Exploited in the Wild?Adobe confirmed in the advisory that CVE-2023-26360 was leveraged in the wild.Has the Vendor Released an Advisory for CVE-2023-26360?Yes. See the Appendix for a link to “Security updates available for Adobe ColdFusion | APSB23-25”.Has the Vendor Released a Patch for the Vulnerability?Yes, Adobe released a patch for CVE-2023-26360 on March 14th, 2023.What is the Status of Protection?At this time, there is not sufficient information that allows us to investigate for protection. This Threat Signal will be updated when new information becomes available.