The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has added a important security flaw in Adobe ColdFusion to its Recognized Exploited Vulnerabilities (KEV) catalog, based mostly on proof of lively exploitation.
The vulnerability, cataloged as CVE-2023-26359 (CVSS rating: 9.8), pertains to a deserialization flaw current in Adobe ColdFusion 2018 (Replace 15 and earlier) and ColdFusion 2021 (Replace 5 and earlier) that might lead to arbitrary code execution within the context of the present consumer with out requiring any interplay.
Deserialization (aka unmarshaling) refers back to the strategy of reconstructing an information construction or an object from a byte stream. However when it is carried out with out validating its supply or sanitizing its contents, it may result in surprising penalties reminiscent of code execution or denial-of-service (DoS).
It was patched by Adobe as a part of updates issued in March 2023. As of writing, it is instantly not clear how the flaw is being abused within the wild.
That mentioned, the event comes greater than 5 months after CISA positioned one other flaw impacting the identical product (CVE-2023-26360) to the KEV catalog. Adobe mentioned it is conscious of the weak spot being exploited in “very restricted assaults” aimed toward ColdFusion.
In gentle of lively exploitation, Federal Civilian Government Department (FCEB) companies are required to use the required patches by September 11, 2023, to guard their networks in opposition to potential threats.
