The US Cybersecurity and Infrastructure Security Agency (CISA) is warning organizations that an Adobe ColdFusion vulnerability patched earlier this year is being exploited in attacks.
The vulnerability in question is tracked as CVE-2023-26359 and it was added by CISA on Monday to its Known Exploited Vulnerabilities (KEV) Catalog.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.
Adobe, which fixed the vulnerability with its March 2023 Patch Tuesday updates, describes CVE-2023-26359 as a critical data deserialization issue that can be exploited for arbitrary code execution.
CISA has instructed government organizations to address the vulnerability by September 11. Government agencies are required to resolve flaws added to the catalog per the Binding Operational Directive (BOD) 22-01, which focuses on reducing the risk posed by known exploited vulnerabilities.
CISA’s KEV catalog currently includes 12 ColdFusion flaws, including four discovered this year. Some of these security holes have been chained in attacks.
No information appears to be available on the attacks exploiting CVE-2023-26359, but Adobe ColdFusion vulnerabilities are known to have been leveraged by various types of threat actors in their operations.
Related: Adobe Releases New Patches for Exploited ColdFusion Vulnerabilities
Related: Two New Adobe ColdFusion Vulnerabilities Exploited in Attacks
Related: Adobe Warns of ‘Very Limited Attacks’ Exploiting ColdFusion Zero-Day
Related: Decade-Old Adobe ColdFusion Vulnerabilities Exploited by Ransomware Gang

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Microsoft Adding New Security Features to Windows 11
- Sony Investigating After Hackers Offer to Sell Stolen Data
- 900 US Schools Impacted by MOVEit Hack at National Student Clearinghouse
- Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- Cisco to Acquire Splunk for $28 Billion
Latest News
- Microsoft Adding New Security Features to Windows 11
- UAE-Linked APT Targets Middle East Government With New ‘Deadglyph’ Backdoor
- Sony Investigating After Hackers Offer to Sell Stolen Data
- The CISO Carousel and its Effect on Enterprise Cybersecurity
- Xenomorph Android Banking Trojan Targeting Users in US, Canada
- $200 Million in Cryptocurrency Stolen in Mixin Network Hack
- Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
- Nigerian Pleads Guilty in US to Million-Dollar BEC Scheme Role
