CVE-2023-26359

What is Adobe ColdFusion?

Adobe ColdFusion is a commercial Java-based application server and web development platform used by government agencies, financial institutions, healthcare organizations, and enterprises to build and host internal business applications and public-facing web portals. ColdFusion's Java runtime processes HTTP requests server-side and typically has broad access to backend databases, file systems, and internal network resources. In 2023, ColdFusion was subject to three separate Java deserialization vulnerability CVEs — CVE-2023-26359 (March, APSB23-25), CVE-2023-29300 (July, APSB23-40), and CVE-2023-38203 (July, APSB23-41) — reflecting sustained researcher and attacker focus on ColdFusion's deserialization handling as a recurring vulnerability class.

Overview

CVE-2023-26359 is the first of the three 2023 ColdFusion deserialization vulnerabilities, patched by Adobe on March 14, 2023 in bulletin APSB23-25. It is a pre-authentication Java deserialization vulnerability that allows an unauthenticated attacker to execute arbitrary code on the ColdFusion server in the context of the current user (typically the IIS application pool or Windows service account). CISA added it to the Known Exploited Vulnerabilities catalog on August 21, 2023 — five months after the patch — confirming active exploitation of unpatched ColdFusion deployments.

Affected Versions

Note: ColdFusion 2021 Update 6 and ColdFusion 2018 Update 16 also address the companion vulnerability CVE-2023-26360 (arbitrary file read). Both should be applied together.

Technical Details

CWE-502 (Deserialization of Untrusted Data). ColdFusion's web server processes HTTP requests that may include Java serialized object streams for session handling, inter-component communication, or legacy application integration. A flaw in how ColdFusion's Java runtime handles deserialization allows an unauthenticated attacker to submit a specially crafted HTTP request containing a malicious Java gadget chain. When Java's ObjectInputStream deserializes the crafted object, methods on the deserialized class hierarchy execute attacker-controlled code before application authentication logic runs.

APSB23-25 also addressed CVE-2023-26360, an arbitrary file read vulnerability. The combination of file read (to access ColdFusion configuration files containing credentials and connection strings) and RCE (to execute code) in the same advisory represents a comprehensive compromise capability.

Successful exploitation typically results in:

• Deployment of .cfm or .jsp web shells for persistent access
• Harvesting database credentials from ColdFusion datasource configuration
• Lateral movement to databases and internal services accessible from the ColdFusion server

Discovery

Discovered by security researchers and reported to Adobe through coordinated disclosure. Adobe patched CVE-2023-26359 and CVE-2023-26360 together in APSB23-25, the March 2023 ColdFusion security bulletin.

Exploitation Context

The five-month delay between Adobe's patch (March 2023) and CISA's KEV addition (August 2023) reflects the pattern of ColdFusion exploitation: attackers systematically target unpatched ColdFusion deployments, particularly government and regulated-industry servers, long after patches are available. ColdFusion servers in government environments are frequently running older, unmaintained versions — making them persistent targets for opportunistic and targeted attackers alike.

The 2023 ColdFusion deserialization trilogy (APSB23-25, APSB23-40, APSB23-41) underscores the importance of applying all ColdFusion cumulative updates promptly — attackers chain knowledge from earlier CVEs to discover and exploit subsequent vulnerabilities in the same codebase.

Remediation

1. Apply Adobe APSB23-25 to update to ColdFusion 2021 Update 6 or ColdFusion 2018 Update 16.
2. Also apply APSB23-40 (CVE-2023-29300) and APSB23-41 (CVE-2023-38203) — all three 2023 ColdFusion deserialization patches are required for complete remediation.
3. Apply Adobe's ColdFusion lockdown guide to restrict CFIDE admin access to localhost, disable unnecessary ColdFusion services, and restrict servable file extensions.
4. Restrict ColdFusion Administrator to management-network-only access — it should never be internet-accessible.
5. Inspect ColdFusion web roots for unexpected .cfm, .cfc, or .jsp files that could be web shells — particularly in upload directories or under /CFIDE paths.
6. Review ColdFusion access logs for unusual POST requests with binary content around and after March 2023, indicating deserialization attack attempts.
7. Rotate all database credentials and API keys stored in ColdFusion datasource and application configuration.