A critical vulnerability [1] [6], known as CVE-2023-26359 [1] [2] [3] [4] [5], has been discovered in Adobe ColdFusion 2018 and ColdFusion 2021 [3]. This vulnerability poses significant risks to the federal enterprise and is frequently exploited by malicious cyber actors [4] [5].


The vulnerability allows for the deserialization of untrusted data [1], which can lead to arbitrary code execution without user interaction [3]. It has a CVSS score of 9.8 and was patched by Adobe in March 2023. Active exploitation of the vulnerability has been observed, although the specific methods used are currently unknown. It is worth noting that a similar flaw in ColdFusion was previously identified by CISA and is listed in their Known Exploited Vulnerabilities catalog.

To protect FCEB networks against active threats [1] [4] [5], the Binding Operational Directive (BOD) 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the specified due date [1] [4] [5], which is September 11. It is strongly recommended that all organizations prioritize timely remediation of catalog vulnerabilities to reduce exposure to cyberattacks [1] [4] [5]. Adobe recommends applying security configuration settings and updating the ColdFusion JDK/JRE to the latest version for a secure server [2].

The issues related to CVE-2023-26359 were reported by Patrick Vares [2]. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria [1] [4] [5].


This critical vulnerability in Adobe ColdFusion poses significant risks to the federal enterprise and is actively exploited by malicious cyber actors. It is crucial for organizations to prioritize timely remediation of catalog vulnerabilities to reduce exposure to cyberattacks [1] [4] [5]. Following the recommended security configuration settings and updating to the latest version of ColdFusion JDK/JRE can help ensure a secure server. CISA will continue to monitor and add vulnerabilities to their catalog, highlighting the importance of ongoing vigilance and mitigation efforts.


[1] https://www.redpacketsecurity.com/cisa-cisa-adds-one-known-exploited-vulnerability-to-catalog-22-08-2023/
[2] https://www.darkreading.com/vulnerabilities-threats/adobe-patches-critical-deserialization-vulnerability-but-exploits-persist
[3] https://cyber.vumetric.com/security-news/2023/08/22/critical-adobe-coldfusion-flaw-added-to-cisa-s-exploited-vulnerability-catalog/
[4] https://www.cisa.gov/news-events/alerts/2023/08/21/cisa-adds-one-known-exploited-vulnerability-catalog
[5] https://www.assurantcyber.com/blog/cisa-adds-one-known-exploited-vulnerability-catalog/
[6] https://allinfosecnews.com/item/cisa-adds-critical-adobe-coldfusion-flaw-to-its-known-exploited-vulnerabilities-catalog-2023-08-22/