Hackers exploiting Adobe ColdFusion bug to breach government servers

Hackers exploiting Adobe ColdFusion bug to breach government servers

Threat actors leveraged a vulnerability in popular Adobe software to compromise servers at two US federal agencies, the US cybersecurity agency warned.

The unidentified attackers exploited CVE-2023-26360, an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). The flaw also impacts no longer supported ColdFusion 2016 and ColdFusion 11 versions.

Adobe ColdFusion is a Java-based application server and a platform for building and deploying web and mobile applications.

The Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory that the attacks took place in June 2023 and in both cases, the servers were running outdated versions of the web app development platform and were vulnerable to various CVEs.

“In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment,” CISA said.

In one of the incidents, the hackers compromised a publicly accessible web server running Adobe ColdFusion v2016.0.0.3 via CVE-2023-26360. They then initiated process enumeration to retrieve information on currently active processes on the targeted web server. The threat actors traversed the filesystem and uploaded various artifacts to the web server.

In a separate incident, the threat actors gained an initial foothold on another public-facing web server running Adobe ColdFusion v2021.0.0.2. The adversaries gathered information about local and domain administrative user accounts during the reconnaissance phase.

The threat actors were observed deploying a remote access trojan (RAT) featuring a JavaScript loader for device infection.

CISA believes that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network. The agency said it has no evidence that the attackers were able to exfiltrate data or move laterally. It’s unclear if the same threat actor is behind both incidents.

Back to the list

Latest Posts

RVTools official website compromised to distribute malware-laced installer

RVTools official website compromised to distribute malware-laced installer

The malware in question was the Bumblebee loader used in various high-profile cyberattacks to deploy additional payloads.
20 May 2025
New Linux cryptojacking campaign RedisRaider exploits public Redis servers

New Linux cryptojacking campaign RedisRaider exploits public Redis servers

The campaign uses legitimate Redis configuration commands to inject malicious cron jobs on vulnerable systems.
20 May 2025
China-aligned UnsolicitedBooker hackers target Saudi org with new MarsSnake backdoor

China-aligned UnsolicitedBooker hackers target Saudi org with new MarsSnake backdoor

The group’s toolset includes known Chinese cyber-espionage malware such as Chinoxy, DeedRAT, Poison Ivy, and BeRAT.
20 May 2025
Popular Posts
Featured vulnerabilities
Dell Alienware Command Center update for Intel XTU software
Low Patched | 20 May, 2025
Denial of service in VMware Fusion
Low Patched | 20 May, 2025
Denial of service in VMware Workstation
Low Patched | 20 May, 2025
Multiple vulnerabilities in VMware vCenter Server
Medium Patched | 20 May, 2025
Multiple vulnerabilities in VMware ESXi
Medium Patched | 20 May, 2025