Hackers Breach U.S. Government Systems Through Adobe ColdFusion Vulnerability

Gideon Geoffery December 6, 2023

1 minute read

The U.S. CISA cautions that threat actors are actively taking advantage of a crucial vulnerability in Adobe ColdFusion to compromise government agencies.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning, alerting people about the active exploitation of a critical vulnerability (CVE-2023-26360) in Adobe ColdFusion by threat actors targeting government agencies.

Overview of Adobe ColdFusion

This vulnerability, identified as Improper Access Control, allows remote attackers to execute arbitrary code, potentially leading to arbitrary file system read and memory leaks.

Notably, the affected versions include Adobe ColdFusion 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). Initially discovered as a zero-day vulnerability in March 2023, the U.S. CISA promptly added the critical CVE-2023-26360 (CVSS score: 8.6) to its Known Exploited Vulnerabilities Catalog.

On the other hand, recent reports unveil ongoing exploitation, as the U.S. Cyber Defense Agency emphasizes incidents involving the breach of two federal agency systems in June. Additionally, threat actors infiltrated the compromised servers, both running outdated software versions, by employing HTTP POST commands to the ColdFusion-associated directory path.

“In June 2023, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two agency systems in two separate instances. In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software which are vulnerable to various CVEs.” reads the alert published by US CISA.

“Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion.”

Experts suggest these attacks may have been part of a reconnaissance effort by threat actors.

Timeline of Incidents

The first incident occurred on June 26, 2023, targeting a web server running Adobe ColdFusion v2016.0.0.3, while the second incident on June 2, 2023, affected a web server running Adobe ColdFusion v2021.0.0.2.

Fortunately, there is no evidence of successful data exfiltration or lateral movement in either case, as the impacted agencies successfully thwarted the attackers within 24 hours.