CVE Tools

CVE-2023-26360

Adobe ColdFusion Improper Access Control Arbitrary code execution

Published: Mar 23, 2023Updated: Oct 23, 2025 Sources: CVE List NVD BDUCWE-284

Description

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

In plain language

AI Act now

CVE-2023-26360 is a vulnerability in Adobe ColdFusion that lets attackers run code on your server over the network without logging in or tricking anyone—typical small businesses using ColdFusion should treat this as an urgent patch.

Executive summary

CVE-2023-26360 is an Improper Access Control weakness in Adobe ColdFusion that allows unauthenticated remote attackers to trigger arbitrary code execution as the current user over the network.

If affected, business impact
Full server compromiseMalware persistence riskCustomer or file data exposureService disruption

What to do now

  1. Check whether your Adobe ColdFusion server is running a vulnerable version: 2018 Update 15 or earlier, or 2021 Update 5 or earlier.
  2. If it is vulnerable, immediately upgrade ColdFusion using Adobe’s instructions for APSB23-25.
  3. After updating, verify the ColdFusion version is no longer in the affected range and restart the service if your update process requires it.
  4. Confirm no unexpected changes occurred by reviewing ColdFusion and OS logs around the upgrade window.
Patch / advisory Some work to apply

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:CC:HI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:CScope
Changed
Impact
C:HConfidentiality
High
I:NIntegrity
None
A:NAvailability
None

Weaknesses

Affected Products

and 2 more affected products View all →

Exploitability

CISA Known Exploited Vulnerability
Added to KEV:Mar 15, 2023
Remediation due:Apr 5, 2023

Required action: Apply updates per vendor instructions.

1 exploit source identified

Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.

View exploit details
Official Patch Available

References

and 3 more references View all →
1

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2023-26360 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows