The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of a significant Adobe ColdFusion vulnerability by unidentified threat actors aiming to gain initial access to government servers.
CISA stated, “The ColdFusion vulnerability (CVE-2023-26360) manifests as an improper access control issue, and its exploitation can lead to arbitrary code execution.” The agency disclosed that an unnamed federal agency was targeted between June and July 2023.
The vulnerability impacts ColdFusion 2018 (up to Update 15) and ColdFusion 2021 (up to Update 5). Adobe has addressed this flaw in versions Update 16 and Update 6, respectively, released on March 14, 2023.
Shortly after its discovery, CISA added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of ongoing exploitation in the wild. In a corresponding advisory, Adobe acknowledged awareness of the flaw being “exploited in the wild in very limited attacks.”
CISA highlighted that at least two public-facing servers fell victim to the flaw, both running outdated ColdFusion versions. “Furthermore, threat actors initiated various commands on the compromised web servers; the exploited vulnerability enabled them to deploy malware through HTTP POST commands to the ColdFusion-associated directory path,” noted CISA.
While there are indications that the malicious activity is part of a reconnaissance effort to map the broader network, no lateral movement or data exfiltration has been detected.
In one incident, the adversaries were observed navigating the filesystem and uploading various artifacts to the web server, including binaries capable of extracting web browser cookies and malware intended for decrypting ColdFusion data source passwords.
In another incident in early June 2023, a remote access trojan, a modified version of the ByPassGodzilla web shell, was deployed. This trojan utilized a JavaScript loader to infect devices and communicated with an actor-controlled server to execute commands.
Additionally, the adversaries attempted to extract Windows Registry files and unsuccessfully attempted to download data from a command-and-control (C2) server.
“While analyzing this incident, it is strongly suggested that the threat actors likely accessed the data contained in the ColdFusion seed.properties file through the web shell interface,” stated CISA. “This file contains the seed value and encryption method used for encrypting passwords, which can be used for decryption purposes. However, no evidence of malicious code attempting to decode passwords using the values from the seed.properties file was found on the victim system.”
