Adobe ColdFusion Deserialization of Untrusted Data Vulnerabilities

What is Adobe ColdFusion?

Adobe ColdFusion is a commercial rapid web-application and mobile applications development platform.

What is the Attack?

CVE-2023-26359 and CVE-2023-26360 are deserialization of untrusted data vulnerabilities that affect Adobe ColdFusion. Successful exploitation of the vulnerabilities could allow unauthenticated attackers to achieve arbitrary code execution.

CVE-2023-26359 has a CVSS score of 9.8 and is rated critical by Adobe. CVE-2023-26360 has a CVSS score of 8.6 and is rated critical by Adobe.

Why is this Significant?

This is significant because both CVE-2023-26359 and CVE-2023-26360 are on the CISA's Known Exploited Vulnerabilities (KEV) catalog, which means that the vulnerabilities have been observed to be exploited in the field. Therefore, FortiGuard Labs strongly advises to see vendor advisory and apply patches to Adobe Coldfusion if not already done.

What is the Vendor Solution?

The patch is available for both CVE-2023-26359 and CVE-2023-26360.

What FortiGuard Coverage is available?

FortiGuard Labs has an IPS signature "Adobe.ColdFusion.ToTemplateProxy.Insecure.Deserialization" in place for CVE-2023-26360.

FortiGuard Labs is currently investigating protection for CVE-2023-26359. We'll update this Threat Signal when new information becomes available.

For a full comprehensive lists of protections from FortiGuard Labs, please visit the Outbreak Alert page for further details.