CVE-2023-26360
Published on: Not Yet Published
Last Modified on: 05/01/2023 06:15:00 PM UTC
Certain versions of Coldfusion from Adobe contain the following vulnerability:
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.
- CVE-2023-26360 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity. - Affected Vendor/Software: Adobe - ColdFusion version <= CF2018U15
- Affected Vendor/Software: Adobe - ColdFusion version <= CF2021U5
- Affected Vendor/Software: Adobe - ColdFusion version <= None
- Affected Vendor/Software: Adobe - ColdFusion version <= None
CVSS3 Score: 8.6 - HIGH
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|---|---|---|---|
| NETWORK | LOW | NONE | NONE |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
| CHANGED | HIGH | NONE | NONE |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| Adobe ColdFusion Unauthenticated Remote Code Execution ≈ Packet Storm | packetstormsecurity.com text/html |
MISC packetstormsecurity.com/files/172079/Adobe-ColdFusion-Unauthenticated-Remote-Code-Execution.html |
| Adobe Security Bulletin | helpx.adobe.com text/html |
MISC helpx.adobe.com/security/products/coldfusion/apsb23-25.html |
Related QID Numbers
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Adobe | Coldfusion | 2018 | - | All | All |
| Application | Adobe | Coldfusion | 2018 | update1 | All | All |
| Application | Adobe | Coldfusion | 2018 | update10 | All | All |
| Application | Adobe | Coldfusion | 2018 | update11 | All | All |
| Application | Adobe | Coldfusion | 2018 | update12 | All | All |
| Application | Adobe | Coldfusion | 2018 | update13 | All | All |
| Application | Adobe | Coldfusion | 2018 | update14 | All | All |
| Application | Adobe | Coldfusion | 2018 | update15 | All | All |
| Application | Adobe | Coldfusion | 2018 | update2 | All | All |
| Application | Adobe | Coldfusion | 2018 | update3 | All | All |
| Application | Adobe | Coldfusion | 2018 | update4 | All | All |
| Application | Adobe | Coldfusion | 2018 | update5 | All | All |
| Application | Adobe | Coldfusion | 2018 | update6 | All | All |
| Application | Adobe | Coldfusion | 2018 | update7 | All | All |
| Application | Adobe | Coldfusion | 2018 | update8 | All | All |
| Application | Adobe | Coldfusion | 2018 | update9 | All | All |
| Application | Adobe | Coldfusion | 2021 | - | All | All |
| Application | Adobe | Coldfusion | 2021 | update1 | All | All |
| Application | Adobe | Coldfusion | 2021 | update2 | All | All |
| Application | Adobe | Coldfusion | 2021 | update3 | All | All |
| Application | Adobe | Coldfusion | 2021 | update4 | All | All |
| Application | Adobe | Coldfusion | 2021 | update5 | All | All |
- cpe:2.3:a:adobe:coldfusion:2018:-:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2018:update1:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2018:update10:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2018:update11:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2018:update12:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2018:update13:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2018:update14:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2018:update15:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2018:update2:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2018:update3:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2018:update4:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2018:update5:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2018:update6:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2018:update7:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2018:update8:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2018:update9:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:*:
- cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
| Source | Title | Posted (UTC) |
|---|---|---|
 @ohhara_shiojiri |
"Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion." | 2023-03-15 00:58:05 |
| @the_yellow_fall |
CVE-2023-26360 - A critical zero-day flaw in Adobe ColdFusion securityonline.info/cve-2023-26360… #opensource #infosec #security #pentesting | 2023-03-15 01:51:29 |
| @AcooEdi |
CVE-2023-26360 – A critical zero-day flaw in Adobe ColdFusion dlvr.it/SkvSQ3 via securityonline https://t.co/pY1kfe4Cbc | 2023-03-15 01:58:03 |
| @jpcert |
CyberNewsFlash「複数のアドビ製品のアップデートについて」を公開。Adobe ColdFusionにおけるアクセス制限不備の脆弱性(CVE-2023-26360)を悪用する攻撃をアドビは確認しているとのことです。アドビ… twitter.com/i/web/status/1… | 2023-03-15 04:59:43 |
| @PentestingN |
CVE-2023-26360 – A critical zero-day flaw in Adobe ColdFusion securityonline.info/cve-2023-26360… | 2023-03-15 07:41:51 |
| @autumn_good_35 |
??? 『Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting Adobe Cold… twitter.com/i/web/status/1… | 2023-03-15 12:52:39 |
| @supercybex |
CVE-2023-26360 – A critical zero-day flaw in Adobe ColdFusion BY DO SON · PUBLISHED MARCH 14, 2023 · UPDATED MARCH… twitter.com/i/web/status/1… | 2023-03-15 16:29:03 |
| @KEV_bot_1 |
CVE-2023-26360 - Adobe ColdFusion Improper Access Control Vulnerability has been added to the KEV catalog. | 2023-03-15 18:11:51 |
| @__kokumoto |
米国サイバーセキュリティ・インフラストラクチャ・セキュリティ庁(CISA)が既知の悪用された脆弱性(KEV)カタログにAdobe ColdFusionにおける不適切なアクセス制御の脆弱性(CVE-2023-26360)を追加。遠隔… twitter.com/i/web/status/1… | 2023-03-15 23:06:30 |
| @SompoCyber |
【脆弱性攻撃】 3月15日、@CISACyber が「悪用されている既知の脆弱性」リストを更新しました。 1. CVE-2023-26360 Adobe ColdFusionの脆弱性 米CISAは、ベンダー情報に基づくアップデ… twitter.com/i/web/status/1… | 2023-03-16 00:19:11 |
| @hogehuga |
Known Exploited Vulnerability to Catalogに1件追加があった CVE-2023-26360 Adobe ColdFusion Improper Access Control Vulnerab… twitter.com/i/web/status/1… | 2023-03-16 01:27:02 |
| @TheHackersNews |
Heads up to all #Adobe ColdFusion users! A critical flaw, CVE-2023-26360, has been found and exploited in the wild.… twitter.com/i/web/status/1… | 2023-03-16 04:48:26 |
| @_DrFrusci |
Heads up to all #Adobe ColdFusion users! A critical flaw, CVE-2023-26360, has been found and exploited in the wild.… twitter.com/i/web/status/1… | 2023-03-16 04:49:43 |
| @golinkco |
Heads up to all #Adobe ColdFusion users! A critical flaw, CVE-2023-26360, has been found and exploited in the wild.… twitter.com/i/web/status/1… | 2023-03-16 04:53:21 |
| @IT_news_for_all |
Heads up to all Adobe ColdFusion users! A critical flaw, CVE-2023-26360, has been found and exploited in the wild.… twitter.com/i/web/status/1… | 2023-03-16 04:58:07 |
| @ntsuji |
昨日に引き続き、CISAの「悪用が確認されている脆弱性カタログ」に1件追加されていました。 追加された脆弱性は、Adobe ColdFusionの脆弱性(CVE-2023-26360)でAdobe社によると修正のリリースのタイミ… twitter.com/i/web/status/1… | 2023-03-16 05:57:44 |
| @HackReports |
Heads up Security experts: #CVE-2023-26360 for #AdobeColdFusion has been added to the U.S.#CISA Known Exploited Vul… twitter.com/i/web/status/1… | 2023-03-16 06:14:59 |
| @signorina37H |
Buongiornissimo con una vulnerabilità critica: Adobe #ColdFusion exploited in the wild CVE-2023-26360 thehackernews.com/2023/03/cisa-i… | 2023-03-16 06:31:28 |
| @Cyberyami1 |
Heads up to all @Adobe @coldfusion users! A critical flaw, CVE-2023-26360, has been found and #exploited in the wi… twitter.com/i/web/status/1… | 2023-03-16 06:40:28 |
| @secur1ty1samyth |
CISA Identifies Critical Vulnerability in Adobe ColdFusion The flaw, known as CVE-2023-26360, can be exploited rem… twitter.com/i/web/status/1… | 2023-03-16 09:01:05 |
| @AdrestiaD |
The critical flaw in question is CVE-2023-26360 (CVSS score: 8.6), which could be exploited by a threat actor to ac… twitter.com/i/web/status/1… | 2023-03-16 11:44:52 |
| @ipssignatures |
The vuln CVE-2023-26360 has a tweet created 0 days ago and retweeted 11 times. twitter.com/CISACyber/stat… #pow1rtrtwwcve | 2023-03-16 12:06:01 |
| @ohhara_shiojiri |
Critical Adobe ColdFusion Vulnerability (CVE-2023-26360) Exploited as a Zero-day > Threat Signal Report | FortiGuard fortiguard.fortinet.com/threat-signal-… | 2023-03-16 12:35:08 |
| @inthewildio |
CVE-2023-26360 is getting exploited #inthewild. Find out more at inthewild.io/vuln/CVE-2023-… | 2023-03-16 13:26:15 |
| @gikogang |
すべての#Adobe ColdFusion ユーザーに注意してください! 重大な欠陥である CVE-2023-26360 が発見され、悪用されています。 CISA が緊急警告を発行: Adobe ColdFusion の脆弱… twitter.com/i/web/status/1… | 2023-03-16 14:22:48 |
| @HeimdalSecurity |
The flaw in question is CVE-2023-26360, with a CVSS score of 8.6. The vulnerability can be exploited by threat acto… twitter.com/i/web/status/1… | 2023-03-16 15:00:29 |
| @CVEtrends |
Top 3 trending CVEs on Twitter Past 24 hrs: CVE-2023-23397: 4.7M (audience size) CVE-2023-26360: 1.2M CVE-2019-189… twitter.com/i/web/status/1… | 2023-03-16 16:53:56 |
| @FortiGuardLabs |
#FortiGuardLabs Threat Signal Report: Critical Adobe ColdFusion Vulnerability (CVE-2023-26360) Exploited as a Zero-… twitter.com/i/web/status/1… | 2023-03-16 18:01:01 |
| @ujdmc |
[email protected] Threat Signal Report: Critical Adobe ColdFusion Vulnerability (CVE-2023-26360) Exploited as a Zero… twitter.com/i/web/status/1… | 2023-03-16 20:59:12 |
| @dulenkp |
To all #Adobe #ColdFusion users -.A critical #flaw, CVE-2023-26360, has been found and #exploited in the wild. thehackernews.com/2023/03/cisa-i… | 2023-03-16 22:07:18 |
| @StrobesHQ |
? This is an automated tweet ? This week in Zerodays ? CVE-2023-26360: vi.strobes.co/cve/CVE-2023-2… CVE-2023-24880:… twitter.com/i/web/status/1… | 2023-03-17 11:30:07 |
| @EsocTm6 |
A falha crítica em questão é CVE-2023-26360 (pontuação CVSS: 8,6), que pode ser explorada por um agente de ameaça p… twitter.com/i/web/status/1… | 2023-03-17 12:02:51 |
| @avoidthehack |
CISA Adds One Known Exploited #Vulnerability to Catalog CVE-2023-26360 - Adobe ColdFusion Improper Access Control… twitter.com/i/web/status/1… | 2023-03-17 18:52:00 |
| @Cyberbay_HK |
Critical Adobe ColdFusion Vulnerability (CVE-2023-26360) Exploited as a Zero-day? #Cybersecurity #BugBounty Sourc… twitter.com/i/web/status/1… | 2023-03-18 05:00:30 |
| @CVEreport |
CVE-2023-26360 : Adobe ColdFusion versions 2018 Update 15 and earlier and 2021 Update 5 and earlier are affecte… twitter.com/i/web/status/1… | 2023-03-23 20:08:54 |
| @Quiz1965 |
[email protected] Threat Signal Report: Critical Adobe ColdFusion Vulnerability (CVE-2023-26360) Exploited as a Zero… twitter.com/i/web/status/1… | 2023-03-23 21:03:27 |
 /r/blueteamsec |
Adobe has released security updates for ColdFusion versions 2021 and 2018. Resolves critical and important vulnerabilities that could lead to arbitrary code execution and memory leak. Adobe is aware that CVE-2023-26360 has been exploited in the wild in very limited attacks targeting ColdFusion. | 2023-03-15 03:45:46 |
| /r/k12cybersecurity |
MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in Adobe Products Could Allow for Arbitrary Code Execution - PATCH NOW | 2023-03-15 12:44:55 |
| /r/netcve |
CVE-2023-26360 | 2023-03-23 20:38:27 |