Adobe patch nightmare: Trio of application server vulnerabilities being exploited

Want to let criminals “query your databases, add/change/delete files, export data or files off your server”? No, then you should probably be paying close attention to whether you are running Adobe ColdFusion and if you are exposed...

Adobe patch nightmare: Trio of application server vulnerabilities being exploited
Too many holes in Adobe ColdFusion ...

A THIRD Adobe ColdFusion vulnerability is being exploited in the wild in just six months. CISA this week urged organisations to patch promptly.

Proof-of-Concept exploits for CVE-2023-26359, rated CVSS 9.8, are easily available and as the National Vulnerability Database (NVD) says in its CVE note “exploitation of this issue does not require user interaction.”

Attacks appear to have been ongoing since January 2023 and confusion abounds in many organisations over the extent of their exposure, with Adobe also facing criticism in some quarters over the clarity of its patch notes.

(ColdFusion 2021 and 2023 got important security updates on August 16 that resolve several weaknesses that have led to recent exploits.)