What is CVE-2023-26360?

Adobe ColdFusion is affected by a high-severity Improper Access Control vulnerability that could lead to arbitrary code execution. Exploitation does not require user interaction, making prompt patching critical.

What is the severity of CVE-2023-26360?

CVE-2023-26360 has a severity rating of HIGH with a CVSS base score of 8.6.

Is CVE-2023-26360 in CISA KEV?

Yes. CVE-2023-26360 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations should prioritize remediation.

CVE-2023-26360 | High Vulnerability in Adobe ColdFusion

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. This vulnerability allows attackers to execute code without requiring user interaction, which significantly increases the risk of exploitation.

The vulnerability has been classified with a CVSS score of 8.6, indicating a high severity level. The attack vector is over the network, and the complexity is low, meaning that attackers can exploit this vulnerability easily. Given the potential for arbitrary code execution, organizations must treat this vulnerability with urgency.

Risk to organizations includes unauthorized access to sensitive data and potential compromise of the entire system. Adobe has acknowledged this vulnerability and has provided patches to address the issue. Organizations should prioritize patching immediately to mitigate the risks associated with this vulnerability.

As of now, there are reports of known exploits in the wild, further emphasizing the need for urgent remediation. Organizations that use affected versions of ColdFusion must take action quickly to protect themselves from potential attacks.

Vulnerability Details

The vulnerability is characterized as Improper Access Control, categorized under CWE-284. The official description states that exploitation does not require user interaction, and the affected versions are Adobe ColdFusion 2018 Update 15 and earlier, and 2021 Update 5 and earlier.

The CVSS version 3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, indicating that the attack vector is network-based, with low complexity and no privileges required for exploitation. The confidentiality impact is rated high, while integrity and availability impacts are rated none.

Technical Analysis

The root cause of this vulnerability is related to improper access control mechanisms within Adobe ColdFusion, which may allow unauthorized users to execute arbitrary code. The attack vector is primarily network-based, which means that an attacker can exploit this vulnerability remotely without any physical access.

The attack complexity is low, and no user interaction is required, making it easier for attackers to exploit this vulnerability. The lack of required privileges means that even low-level users can potentially execute code.

Risk & Impact Analysis

Real-world deployment risk is significant due to the potential for arbitrary code execution. Attackers may leverage this vulnerability to gain unauthorized access and control over systems, leading to data breaches or system compromises. The blast radius for this vulnerability can be extensive, especially for organizations with multiple deployments of ColdFusion.

Given its classification in the KEV catalog, organizations should address this vulnerability in their priority patch cycle. The urgency is high, as the risk of exploitation is elevated due to the presence of known exploits.

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	Yes
Ransomware Use	No

Affected Versions

All versions prior to vendor patch are affected, specifically Adobe ColdFusion versions 2018 Update 15 and 2021 Update 5.

Mitigation & Remediation

Organizations should apply the patches provided by Adobe as per their advisory. For more information, please refer to the vendor's advisory at Adobe ColdFusion Security Advisory. Additionally, organizations should monitor their systems for any signs of exploitation and consider implementing network controls to limit exposure.

Detection Guidance

To detect potential exploitation attempts, organizations should monitor logs for unexpected changes or unauthorized access attempts. Behavioral anomalies in application performance or unexpected system behavior could also indicate exploitation.

AppSecure Threat Intelligence Insight

This vulnerability highlights the importance of robust access controls in application security. Organizations should regularly review their security posture and ensure that access controls are properly implemented and regularly tested. For comprehensive security assessment, consider engaging in application security assessments and penetration testing to identify and remediate vulnerabilities proactively.

With the growing trend of exploiting such vulnerabilities, organizations must stay vigilant and ensure that their software is up to date with the latest security patches. Regularly reviewing and updating your security policies can significantly reduce the risk of similar vulnerabilities in the future.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2023-26360: High Vulnerability in Adobe ColdFusion