The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of a high-severity Adobe ColdFusion vulnerability by unidentified threat actors to gain initial access to government servers.
"The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution," CISA said, adding an unnamed federal agency was targeted between June and July 2023. coldfusion server
The shortcoming affects ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions). It has been addressed in versions Update 16 and Update 6, respectively, released on March 14, 2023.
It was added by CISA to the Known Exploited Vulnerabilities (KEV) catalog a day later, citing evidence of active exploitation in the wild. Adobe, in an advisory released around that time, said it's aware of the flaw being "exploited in the wild in very limited attacks."
The agency noted that at least two public-facing servers were compromised using the flaw, both of which were running outdated versions of the software.
"Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion," CISA noted.
There is evidence to suggest that the malicious activity is a reconnaissance effort carried out to map the broader network, although no lateral movement or data exfiltration has been observed.
In one of the incidents, the adversary was observed traversing the filesystem and uploading various artifacts to the web server, including binaries that are capable of exporting web browser cookies as well as malware designed to decrypt passwords for ColdFusion data sources.
Also undertaken by the adversary were attempts to exfiltrate the Windows Registry files as well as unsuccessfully download data from a command-and-control (C2) server.
"During this incident, analysis strongly suggests that the threat actors likely viewed the data contained in the ColdFusion seed.properties file via the web shell interface," CISA said.
"The seed.properties file contains the seed value and encryption method used to encrypt passwords. The seed values can also be used to decrypt passwords. No malicious code was found on the victim system to indicate the threat actors attempted to decode any passwords using the values found in seed.properties file."
Protect your organization from AI risks with expert insights on security and innovation in app development.
Discover effective PAS strategies to secure privileged accounts, reduce attack surfaces, and outpace cyber threats.
broadcom megaraid 12gb Get the latest news, expert insights, exclusive resources, and strategies from industry leaders – all for free.