The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about hackers actively exploiting a critical vulnerability in Adobe ColdFusion. This vulnerability, identified as CVE-2023-26360, allows hackers to gain initial access to government servers. Servers running Adobe ColdFusion 2018 Update 15 and older, as well as 2021 Update 5 and earlier, are at risk.
Adobe released ColdFusion 2018 Update 16 and 2021 Update 6 in mid-March to fix this zero-day vulnerability. However, CISA has reported that threat actors are still leveraging CVE-2023-26360 in attacks. The agency has highlighted incidents from June where two federal agency systems were impacted. CISA notes that both servers were running outdated versions of the software, leaving them vulnerable to various CVEs.
During the attacks, the threat actors used the vulnerability to drop malware on the servers by utilizing HTTP POST commands to the directory path associated with ColdFusion. In the first incident on June 26, a server running Adobe ColdFusion v2016.0.0.3 was breached. The attackers performed process enumeration and network checks, and then installed a web shell (config.jsp) to insert code into a ColdFusion configuration file and extract credentials. They also deleted files used in the attack to conceal their presence and created files in the C:\IBM directory to facilitate undetected malicious operations.
The second incident occurred on June 2, where the hackers exploited CVE-2023-26360 on a server running Adobe ColdFusion v2021.0.0.2. In this case, the attackers gathered user account information before dropping a text file that decoded as a remote access trojan (d.jsp). They then attempted to exfiltrate Registry files and security account manager (SAM) information. The attackers also abused available security tools to access SYSVOL, a special directory present on every domain controller in a domain.
Fortunately, both attacks were detected and blocked before the intruders were able to exfiltrate data or move laterally. The compromised assets were promptly removed from crucial networks within 24 hours. CISA’s analysis categorizes these attacks as reconnaissance efforts, although it is unclear if the same threat actor is behind both intrusions.
To mitigate the risk posed by this vulnerability, CISA recommends the following measures:
- Upgrade ColdFusion to the latest available version
- Apply network segmentation
- Set up a firewall or Web Application Firewall (WAF)
- Enforce signed software execution policies
By following these recommendations, organizations can reduce their exposure to potential attacks and enhance the security of their systems.
It is crucial for federal organizations and state services to take immediate action and apply the available security updates to protect their servers from exploitation. Staying vigilant and proactive in implementing cybersecurity measures is essential to safeguard critical infrastructure and sensitive information from malicious actors.