(CTN News) – The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a Adobe warning regarding the active exploitation of a critical vulnerability in Adobe ColdFusion, known as CVE-2023-26360, which is being used by hackers to gain initial access to government servers.
This security flaw allows for the execution of arbitrary code on servers that are running older versions of Adobe ColdFusion, specifically 2018 Update 15 and earlier, as well as 2021 Update 5 and earlier. Adobe addressed this issue in mid-March by releasing ColdFusion 2018 Update 16 and 2021 Update 6.
CISA previously published a notice about threat actors taking advantage of this vulnerability and urged federal organizations and state services to apply the necessary security updates.
In a recent alert, America’s Cyber Defense Agency highlights that CVE-2023-26360 is still being exploited in attacks, citing incidents from June that affected two federal agency systems.
The agency emphasizes that both servers were running outdated software versions that were susceptible to various CVEs.
According to CISA, the threat actors utilized the vulnerability to deploy malware by utilizing HTTP POST commands to the directory path associated with ColdFusion.
The first incident occurred on June 26 and involved the exploitation of a critical vulnerability on a server running Adobe ColdFusion v2016.0.0.3. The attackers performed process enumeration and network checks, ultimately installing a web shell (config. jsp) that allowed them to inject code into a ColdFusion configuration file and extract credentials.
Their activities also involved deleting files used in the attack to conceal their presence and creating files in the C:\IBM directory to facilitate undetected malicious operations.
The second incident took place on June 2, when the hackers exploited CVE-2023-26360 on a server running Adobe ColdFusion v2021.0.0.2.
Following this, they attempted to extract Registry files and security account manager (SAM) information. The perpetrators exploited existing security tools to gain access to SYSVOL, a specialized directory found on every domain controller within a domain.
Fortunately, in both instances, the attacks were promptly detected and thwarted before any data could be exfiltrated or lateral movement could occur. Additionally, the compromised assets were swiftly removed from critical networks within 24 hours.
CISA’s analysis classifies these attacks as reconnaissance efforts. However, it remains uncertain whether the same threat actor is responsible for both intrusions.
To minimize the associated risks, CISA advises upgrading ColdFusion to the most recent version, implementing network segmentation, establishing a firewall or WAF, and enforcing policies that mandate the execution of signed software.