CVE-2023-26360

What is Adobe ColdFusion?

Adobe ColdFusion is a commercial application server platform used by enterprises and government agencies for rapid web application development. ColdFusion uses the CFML (ColdFusion Markup Language) scripting language and runs on a Java application server. It is often deployed to host web-facing applications that interact with databases — and because ColdFusion servers are internet-accessible by design, unauthenticated vulnerabilities in ColdFusion are particularly severe. ColdFusion administration endpoints and serialization mechanisms have been a recurring attack surface; prior critical vulnerabilities (CVE-2010-2861, CVE-2019-7816) also enabled unauthenticated access to sensitive server functionality.

Overview

CVE-2023-26360 is an improper access control vulnerability (CWE-284) in Adobe ColdFusion that allows an unauthenticated remote attacker to access restricted server-side functionality, potentially enabling further exploitation including file access and code execution. Adobe issued an emergency out-of-band patch (APSB23-25) on March 14, 2023 — and CISA simultaneously added it to the KEV catalog, eight days before NVD formally published the CVE. The kevAdded date preceding datePublished reflects that exploitation was confirmed before the standard CVE publication process completed. The CVSS S:C (scope changed) reflects that successful exploitation impacts components and data beyond the vulnerable application itself.

Affected Versions

ColdFusion 2016 and earlier are end-of-life and did not receive patches.

Technical Details

The improper access control (CWE-284) allows an unauthenticated attacker to reach restricted ColdFusion administrative or internal endpoints without valid credentials. ColdFusion's administrator interface and internal APIs use Java object serialization for remote management operations. When an attacker can bypass access control to reach a serialization endpoint, they can submit crafted serialized objects — a classic Java deserialization attack — triggering server-side code execution via a gadget chain in ColdFusion's classpath.

The CVSS vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N classifies the primary impact as confidentiality (C:H) with scope change — reflecting the ability to access sensitive data and components beyond the vulnerable endpoint. However, observed exploitation included webshell installation and code execution, consistent with the deserialization attack vector enabling more than information disclosure.

Authentication is not required (PR:N), and no user interaction is needed (UI:N), making this a straightforward network-accessible exploit requiring only the ColdFusion service port to be reachable.

Discovery

CVE-2023-26360 was identified from exploitation observed in the wild, prompting Adobe's emergency out-of-band patch rather than waiting for a scheduled security update cycle. The simultaneous CISA KEV addition on March 14, 2023 reflects that active exploitation was confirmed by the time Adobe released the fix.

Exploitation Context

ColdFusion servers are internet-facing by design and frequently host business applications connected to databases containing sensitive information. Attackers exploiting CVE-2023-26360 were observed installing webshells on ColdFusion servers — providing persistent backdoor access for data exfiltration, lateral movement, and follow-on attacks. The emergency out-of-band patch (rather than a scheduled update) indicates Adobe assessed the exploitation severity as requiring immediate action outside the normal quarterly patch cycle.

Remediation

1. Apply APSB23-25 immediately — update ColdFusion 2021 to Update 6 or ColdFusion 2018 to Update 16 via the ColdFusion Administrator.
2. Decommission ColdFusion 2016 and earlier — these versions are end-of-life and did not receive APSB23-25; they remain vulnerable and should be replaced with a supported version or alternative platform.
3. Restrict ColdFusion Administrator access — the admin interface (typically port 8500 or via the web root /CFIDE/administrator/) should never be internet-accessible; restrict it to internal management networks.
4. Apply ColdFusion lockdown guide — Adobe publishes a ColdFusion Lockdown Guide with recommended security configurations including disabling unnecessary services and restricting access to /CFIDE/ paths.
5. Audit for webshells — search the ColdFusion web root and deployed application directories for .cfm or .jsp files added after March 2023 that weren't placed there by your team.
6. Review ColdFusion access logs for evidence of unauthenticated access to administrator or internal endpoints prior to patching.