A THIRD Adobe ColdFusion vulnerability is being exploited in the wild in just six months. CISA this week urged organisations to patch promptly.
Proof-of-Concept exploits for CVE-2023-26359, rated CVSS 9.8, are easily available and as the National Vulnerability Database (NVD) says in its CVE note “exploitation of this issue does not require user interaction.”
Attacks appear to have been ongoing since January 2023 and confusion abounds in many organisations over the extent of their exposure, with Adobe also facing criticism in some quarters over the clarity of its patch notes.
(ColdFusion 2021 and 2023 got important security updates on August 16 that resolve several weaknesses that have led to recent exploits.)