CVE-2023-26360
Adobe ColdFusion Improper Access Control Arbitrary code execution
Description
Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.
In plain language
AI Act nowCVE-2023-26360 is a vulnerability in Adobe ColdFusion that lets attackers run code on your server over the network without logging in or tricking anyone—typical small businesses using ColdFusion should treat this as an urgent patch.
CVE-2023-26360 is an Improper Access Control weakness in Adobe ColdFusion that allows unauthenticated remote attackers to trigger arbitrary code execution as the current user over the network.
What to do now
- Check whether your Adobe ColdFusion server is running a vulnerable version: 2018 Update 15 or earlier, or 2021 Update 5 or earlier.
- If it is vulnerable, immediately upgrade ColdFusion using Adobe’s instructions for APSB23-25.
- After updating, verify the ColdFusion version is no longer in the affected range and restart the service if your update process requires it.
- Confirm no unexpected changes occurred by reviewing ColdFusion and OS logs around the upgrade window.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:CScopeC:HConfidentialityI:NIntegrityA:NAvailabilityWeaknesses
Affected Products
Exploitability
Required action: Apply updates per vendor instructions.
Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.
View exploit detailsReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2023-26360 and every CVE in our database. Create a free account — no credit card required.
Create Free Account