Hackers exploiting Adobe ColdFusion bug to breach government servers

Hackers exploiting Adobe ColdFusion bug to breach government servers

Threat actors leveraged a vulnerability in popular Adobe software to compromise servers at two US federal agencies, the US cybersecurity agency warned.

The unidentified attackers exploited CVE-2023-26360, an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). The flaw also impacts no longer supported ColdFusion 2016 and ColdFusion 11 versions.

Adobe ColdFusion is a Java-based application server and a platform for building and deploying web and mobile applications.

The Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory that the attacks took place in June 2023 and in both cases, the servers were running outdated versions of the web app development platform and were vulnerable to various CVEs.

“In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment,” CISA said.

In one of the incidents, the hackers compromised a publicly accessible web server running Adobe ColdFusion v2016.0.0.3 via CVE-2023-26360. They then initiated process enumeration to retrieve information on currently active processes on the targeted web server. The threat actors traversed the filesystem and uploaded various artifacts to the web server.

In a separate incident, the threat actors gained an initial foothold on another public-facing web server running Adobe ColdFusion v2021.0.0.2. The adversaries gathered information about local and domain administrative user accounts during the reconnaissance phase.

The threat actors were observed deploying a remote access trojan (RAT) featuring a JavaScript loader for device infection.

CISA believes that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network. The agency said it has no evidence that the attackers were able to exfiltrate data or move laterally. It’s unclear if the same threat actor is behind both incidents.

Back to the list

Latest Posts

Cyber Security Week in Review: May 9, 2025

Cyber Security Week in Review: May 9, 2025

In brief: SAP zero-day exploited by Chinese hackers, SonicWall patches bugs in its SMA appliances, and more.
9 May 2025
Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

Russia-linked Coldriver hackers deploy new espionage malware in targeted attacks

LOSTKEYS is designed to steal sensitive files, harvest system information, and exfiltrate details about running processes.
8 May 2025
Russia-aligned operation manipulates audio and images to impersonate experts

Russia-aligned operation manipulates audio and images to impersonate experts

The operation primarily focused on undermining NATO support for Ukraine and spreading false narratives to disrupt domestic politics in EU member states.
7 May 2025