The U.S. agency tasked with protecting the nation’s cybersecurity and infrastructure added a vulnerability targeting Adobe ColdFusion to its catalog of known exploits after the software maker issued a patch the day before. 

In a March 14 security bulletin, Adobe said it was “aware that CVE-2023-26360 has been exploited in the wild in very limited attacks.” The security updates issued resolve critical vulnerabilities that could lead to arbitrary code execution and memory leak in versions 2021 and 2018 of the web-application development platform.

The Cybersecurity and Infrastructure Agency added the vulnerability to its Known Exploited Vulnerability Catalog “based on evidence of active exploitation,” the U.S. agency said in a March 15 release.

CISA described the exploit in ColdFusion in the KEV as containing “an improper access control vulnerability that allows for remote code execution.” Federal agencies have until April 5 to apply the security updates issued by Adobe.