ColdFusion CFC Deserialization RCE (CVE-2023-26359/CVE-2023-26360)
Description
Adobe ColdFusion versions prior to the March 2023 security update contain a critical deserialization vulnerability in the handling of ColdFusion Component (.cfc) file metadata. This flaw allows unauthenticated remote attackers to deserialize untrusted data, leading to arbitrary code execution on the server or unauthorized file access. The vulnerability affects the core component processing mechanism and does not require authentication or user interaction to exploit.
Remediation
Apply the Adobe ColdFusion security updates immediately by following these steps:
1. Review the Adobe Security Bulletin APSB23-25 to identify if your ColdFusion version is affected
2. Download and install the appropriate security update for your version from the Adobe website
3. For ColdFusion 2021, update to Update 6 or later
4. For ColdFusion 2018, update to Update 16 or later
5. Restart the ColdFusion service after applying updates
6. Verify the patch installation by checking the ColdFusion Administrator version information
7. Review server logs for any suspicious .cfc file access patterns that may indicate prior exploitation
If immediate patching is not possible, implement network-level access controls to restrict access to ColdFusion administrative interfaces and .cfc endpoints to trusted IP addresses only as a temporary mitigation measure.