US Federal Agencies Compromised Through Adobe ColdFusion Vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has reported that hackers are actively exploiting a critical vulnerability in Adobe ColdFusion (CVE-2023-26360) to gain initial access to government servers. This vulnerability allows attackers to execute arbitrary code on servers running Adobe ColdFusion 2018 Update 15 and earlier, as well as 2021 Update 5 and earlier. The flaw was exploited as a zero-day until Adobe released patches in mid-March 2023, issuing ColdFusion 2018 Update 16 and 2021 Update 6.

According to CISA, despite the release of patches for CVE-2023-26360, the vulnerability continues to be used in attacks. For example, incidents involving the exploitation of CVE-2023-26360 occurred as recently as June and affected systems at two unnamed federal agencies. It was emphasized that both servers were running outdated software versions vulnerable to various CVEs.

CISA reports that attackers used the vulnerability to deploy malware via HTTP POST requests to directories associated with ColdFusion.

Details of the Incidents

• First Incident (June 26): The critical vulnerability was used to compromise a server running Adobe ColdFusion 2016.0.0.3. Attackers listed running processes, scanned the network, and deployed a web shell (config.jsp), which allowed them to inject code into the ColdFusion configuration file and extract credentials.
• Second Incident (June 2): Hackers exploited CVE-2023-26360 on a server running Adobe ColdFusion 2021.0.0.2. They gathered user account information, uploaded a text file that decoded into a remote access trojan (d.jsp), and attempted to extract registry files and SAM information. The attackers also used existing security tools to access SYSVOL, a special directory present on every domain controller.

In both cases, the attacks were detected and blocked before the attackers could obtain data or move laterally within the network. The compromises were resolved within 24 hours.