Vulnerability Management, DevSecOps, Threat Management

Adobe ColdFusion bug exploited; CISA adds RCE to vulnerability catalog

CISA's new incident reporting rules

The U.S. agency tasked with protecting the nation’s cybersecurity and infrastructure added a vulnerability targeting Adobe ColdFusion to its catalog of known exploits after the software maker issued a patch the day before. 

In a March 14 security bulletin, Adobe said it was “aware that CVE-2023-26360 has been exploited in the wild in very limited attacks.” The security updates issued resolve critical vulnerabilities that could lead to arbitrary code execution and memory leak in versions 2021 and 2018 of the web-application development platform.

The Cybersecurity and Infrastructure Agency added the vulnerability to its Known Exploited Vulnerability Catalog “based on evidence of active exploitation,” the U.S. agency said in a March 15 release.

CISA described the exploit in ColdFusion in the KEV as containing “an improper access control vulnerability that allows for remote code execution.” Federal agencies have until April 5 to apply the security updates issued by Adobe.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.