The US Cybersecurity and Infrastructure Security Agency (CISA) has included a critical vulnerability, CVE-2023-26360, that impacts Adobe ColdFusion in its list of exploited vulnerabilities due to evidence of active exploitation. This flaw could enable malicious actors to remotely execute arbitrary code. The vulnerability affects ColdFusion 2018 (Update 15 and prior versions) and ColdFusion 2021 (Update 5 and prior versions) and has been fixed in Update 16 and 6, respectively.
However, ColdFusion 2016 and ColdFusion 11 are no longer supported and are vulnerable to exploitation. The vulnerability has been exploited in a few attacks, and agencies have been directed to update their systems by April 5, 2023, to prevent potential threats. Security expert Charlie Arehart has described the flaw as “grave” since it may lead to arbitrary code execution and file system read.