The Cybersecurity and Infrastructure Security Agency (CISA) has released a Cybersecurity Advisory in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch agency. This vulnerability presents an improper access control issue impacting specific versions of Adobe ColdFusion, some of which are no longer supported. In June 2023, through the exploitation of CVE-2023-26360, threat actors were able to establish an initial foothold on two federal agency systems in two separate instances. In both incidents, Microsoft Defender for Endpoint alerted the agencies of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment. Both servers were running outdated versions of software, which are vulnerable to various CVEs. Adobe ColdFusion is a commercial application server used for rapid web-application development, such as supporting proprietary markup languages for building web applications and integrating external components like databases and other third-party libraries. The advisory provides network defenders with details on the vulnerability; tactics, techniques, and procedures (TTPs): indicators of compromise (IOCs); and methods to detect and protect against similar exploitation. Organizations should prioritize remediating known exploited vulnerabilities, employ proper network segmentation, and enable multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. Organizations are encouraged to implement the recommended mitigations in the advisory to improve their cybersecurity posture against this particular threat actor activity. CISA also recommends software manufacturers incorporate secure-by-design principles and tactics into their software development practices to limit the impact of threat actor techniques and strengthen the security posture for their customers. |