Software maker Adobe on Tuesday issued an urgent warning about “very limited attacks” exploiting a zero-day vulnerability in its Adobe ColdFusion web app development platform.
Adobe’s warning was embedded in a critical-severity level advisory that contains patches for ColdFusion versions 2021 and 2018.
“Adobe is aware that CVE-2023-26360 has been exploited in-the-wild in very limited attacks targeting Adobe ColdFusion,” the company said. No other details on the in-the-wild compromises were provided.
Adobe’s PSIRT said the patches cover software defects that “could lead to arbitrary code execution, arbitrary file system read and memory leak.”
The company described the exploited vulnerability as a critical arbitrary file system read vulnerability with a CVSS base score of 8.6/10. The ColdFusion update also features a second critical bug (CVSS 9.8) that could lead to code execution attacks.
In all, Adobe released patches for a whopping 106 vulnerabilities in a wide range of products, some serious enough to expose both Windows and macOS users to remote code execution attacks.
These include:
- Four documented vulnerabilities in Adobe Commerce (formerly Magento) that could lead to arbitrary code execution, security feature bypass and arbitrary file system read. Adobe rates this a critical bulletin
- At least 18 security flaws in the Adobe Experience Manager software. “Successful exploitation of these vulnerabilities could result in arbitrary code execution, privilege escalation and security feature bypass.”
- Five critical security defects affecting Adobe Illustrator (Windows and macOS) that could lead to memory leak and arbitrary code execution.
- 58 documented CVEs in Adobe Dimension. “Successful exploitation could lead to memory leak and arbitrary code execution in the context of the current user.”
The company also fixed a critical-level vulnerability in the popular Adobe Photoshop (Windows and macOS), a separate code execution flaw in the Adobe Creative Cloud desktop application, and 16 new issues in the Adobe Substance 3D Stager.
Related: Adobe Plugs Critical Security Holes in Illustrator, After Effects Software
Related: Adobe Warns of ‘Critical’ Security Flaws in Enterprise Products
Related: Adobe Patches Gaping Security Holes in Acrobat, Reader, Photoshop

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Aembit Scores $16.6M Seed Funding for Workload IAM Technology
- Project Zero: Samsung Mobile Chipsets Vulnerable to Baseband Code Execution Exploits
- Rapid7 Buys Anti-Ransomware Firm Minerva Labs for $38 Million
- Microsoft Pins Outlook Zero-Day Attacks on Russian Actor, Offers Detection Script
- Microsoft Warns of Outlook Zero-Day Exploitation, Patches 80 Security Vulns
- Adobe Warns of ‘Very Limited Attacks’ Exploiting ColdFusion Zero-Day
- Cloud Forensics Startup Mitiga Completes $45M Series A
Latest News
- Google Suspends Chinese Shopping App Amid Security Concerns
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
