The US cybersecurity agency CISA on Tuesday published an alert to warn organizations about the exploitation of an Adobe ColdFusion vulnerability.
The vulnerability, tracked as CVE-2023-26360, was patched in mid-March 2023, when Adobe warned that it had been aware of “very limited attacks” exploiting the flaw.
In August, cybersecurity firm Rapid7 said it had seen multiple attacks leveraging the ColdFusion vulnerability, suggesting that broad exploitation had been underway.
In a new cybersecurity advisory, CISA revealed that CVE-2023-26360 was exploited in June as part of attacks aimed at servers belonging to a federal civilian executive branch (FCEB) agency.
According to CISA, threat actors leveraged the vulnerability to “establish an initial foothold on two agency systems in two separate instances”. One incident occurred in early June and the second in late June and CISA said it was unclear if the same hacker group was behind both intrusions.
The attackers targeted internet-exposed web servers located in the victim’s pre-production environment, with both servers running outdated software versions affected by multiple vulnerabilities.
“Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion,” CISA explained.
It added, “Analysis suggests that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network. No evidence is available to confirm successful data exfiltration or lateral movement during either incident.”
The agency has not linked the attacks to any known threat group, describing the actors as “unidentified”.
CISA’s advisory on the exploitation of CVE-2023-26360 provides information on tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), as well as recommendations for protecting systems against such attacks.
Related: CISA Urges Federal Agencies to Patch Exploited Qualcomm Vulnerabilities
Related: NSA, CISA Explain How Threat Actors Plan and Execute Attacks on ICS/OT
