Connect with us

Hi, what are you looking for?



Adobe ColdFusion Vulnerability Exploited in Attacks on US Government Agency 

US government agency was targeted in attacks that involved exploitation of an Adobe ColdFusion vulnerability tracked as CVE-2023-26360.

The US cybersecurity agency CISA on Tuesday published an alert to warn organizations about the exploitation of an Adobe ColdFusion vulnerability.

The vulnerability, tracked as CVE-2023-26360, was patched in mid-March 2023, when Adobe warned that it had been aware of “very limited attacks” exploiting the flaw. 

In August, cybersecurity firm Rapid7 said it had seen multiple attacks leveraging the ColdFusion vulnerability, suggesting that broad exploitation had been underway. 

In a new cybersecurity advisory, CISA revealed that CVE-2023-26360 was exploited in June as part of attacks aimed at servers belonging to a federal civilian executive branch (FCEB) agency. 

According to CISA, threat actors leveraged the vulnerability to “establish an initial foothold on two agency systems in two separate instances”. One incident occurred in early June and the second in late June and CISA said it was unclear if the same hacker group was behind both intrusions. 

The attackers targeted internet-exposed web servers located in the victim’s pre-production environment, with both servers running outdated software versions affected by multiple vulnerabilities.

“Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion,” CISA explained.

It added, “Analysis suggests that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network. No evidence is available to confirm successful data exfiltration or lateral movement during either incident.”

Advertisement. Scroll to continue reading.

The agency has not linked the attacks to any known threat group, describing the actors as “unidentified”. 

CISA’s advisory on the exploitation of CVE-2023-26360 provides information on tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), as well as recommendations for protecting systems against such attacks. 

Related: CISA Urges Federal Agencies to Patch Exploited Qualcomm Vulnerabilities

Related: NSA, CISA Explain How Threat Actors Plan and Execute Attacks on ICS/OT

Related: CISA Debuts ‘Secure by Design’ Alert Series

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.


Companies have announced securing billions of dollars in cybersecurity-related contracts with the United States government in 2022.


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...


CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.

Cloud Security

Redmond is accused of “negligent cybersecurity practices” that enabled a successful Chinese hack of the United States government.


TSA instructs airport and aircraft operators to improve their cybersecurity resilience and prevent infrastructure disruption and degradation.