Today, CISA released a cybersecurity advisory “Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers,” in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a federal civilian executive branch agency. This vulnerability presents as an improper access control issue impacting specific versions of Adobe ColdFusion, some of which are no longer supported. 

 In June 2023, according to the report, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two federal agency systems in two separate instances. In both incidents, Microsoft Defender for Endpoint alerted the agencies of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software which are vulnerable to various CVEs. Adobe ColdFusion is a commercial application server used for rapid web-application development, such as supporting proprietary markup languages for building web applications and integrating external components like databases and other third-party libraries.   

The advisory provides network defenders with details on the vulnerability, tactics, techniques, and procedures, indicators of compromise, and methods to detect and protect against similar exploitation. CISA encourages organizations to prioritize remediating known exploited vulnerabilities, employ proper network segmentation and enable multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. Organizations are encouraged to implement the recommended mitigations in the advisory to improve cybersecurity posture against this particular threat actor activity. Read the full advisory at CISA.