U.S. Cybersecurity and Infrastructure Security Agency (CISA) alert: hackers are actively using Adobe ColdFusion vulnerability CVE-2023-26360, a major vulnerability, to get first access to government computers.
On servers running Adobe ColdFusion 2021 Update 5 and prior, as well as 2018 Update 15 and older, there is a security flaw that permits the execution of arbitrary code. Before Adobe patched issue in mid-March by releasing ColdFusion 2018 Update 16 and 2021 Update 6, it was exploited as a zero day.
Upon discovering that threat actors were taking advantage of the vulnerability, CISA released a notification at the time advising state and federal agencies to implement the available security fixes.
The United States Cyber Defense Agency has issued a notice today citing June events that affected two federal agency systems and cautioning that CVE-2023-26360 is still being used in attacks.
The second incident happened on June 2, when a server running Adobe ColdFusion v2021.0.0.2 was compromised by hackers using CVE-2023-26360.
In this instance, the attackers obtained user account data prior to releasing a text file that was identified as a trojan for remote access (d.jsp).
They then made an effort to steal data from Security Account Managers (SAM) and Registry files. The attackers gained access to SYSVOL, a unique directory found on each domain controller in a domain, by abusing security tools that were readily available.