The US Cybersecurity and Infrastructure Security Agency (CISA) is warning organizations that an Adobe ColdFusion vulnerability patched earlier this year is being exploited in attacks.
The vulnerability in question is tracked as CVE-2023-26359 and it was added by CISA on Monday to its Known Exploited Vulnerabilities (KEV) Catalog.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.
Adobe, which fixed the vulnerability with its March 2023 Patch Tuesday updates, describes CVE-2023-26359 as a critical data deserialization issue that can be exploited for arbitrary code execution.
CISA has instructed government organizations to address the vulnerability by September 11. Government agencies are required to resolve flaws added to the catalog per the Binding Operational Directive (BOD) 22-01, which focuses on reducing the risk posed by known exploited vulnerabilities.
CISA’s KEV catalog currently includes 12 ColdFusion flaws, including four discovered this year. Some of these security holes have been chained in attacks.
No information appears to be available on the attacks exploiting CVE-2023-26359, but Adobe ColdFusion vulnerabilities are known to have been leveraged by various types of threat actors in their operations.