Hackers Are Actively Exploiting Unpatched Adobe ColdFusionExperts Urge Immediate Patching and Reviewing Servers for Signs of Compromise
Hackers have been actively targeting vulnerabilities in Adobe ColdFusion to remotely execute code and compromise servers, and leading experts urge users to immediately update to patched versions.
See Also: Strengthening Critical Infrastructure Security
Security firm Rapid7 warns it has identified an attack campaign that dates from at least early January that has compromised the ColdFusion installations of multiple organizations. It hasn't been able to conclusively tie those attacks to any specific vulnerabilities, meaning it's not clear if zero-day flaws play a role.
Adobe on March 14 released patches for ColdFusion 2018 and ColdFusion 2021, including a fix for a remote code execution flaw. Designated CVE-2023-26360, the vulnerability "has been exploited in the wild in very limited attacks targeting Adobe ColdFusion," Adobe's security alert says.
Adobe recommends all users install ColdFusion 2018 update 16 or ColdFusion 2021 update 6 to fix the vulnerability. Those updates also patch two additional flaws: a critical vulnerability - meaning it allows for remote code execution - via deserialization of untrusted data, designated CVE-2023-26359, and a path traversal flaw, designated CVE-2023-26361, rated as "important," meaning it's less risky on its own but could be chained together with other attacks.
Rapid7 says in a blog post that "several of the CVEs" patched in the latest versions of both ColdFusion editions "are known to be exploited in the wild."
The U.S. Cybersecurity and Infrastructure Security Agency on March 15 added CVE-2023-26360 to its Known Exploited Vulnerabilities Catalog, saying that flaws that facilitate remote code execution "are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."
CISA has given federal civilian agencies an April 5 deadline to patch vulnerable versions of ColdFusion. Although only those agencies are legally required to comply, CISA "strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of catalog vulnerabilities as part of their vulnerability management practice."
Attackers Drop Web Shells
In the attack campaign exploiting ColdFusion, which it says began at the start of this year, Rapid7 says it has seen attackers using a compromised website,
ooshirts.com, to drop web shells - malicious scripts - designed to compromise servers running ColdFusion via PowerShell commands, and then download and execute additional malicious code. In attacks it has observed, "process start data indicates that ColdFusion 2018 is spawning malicious commands," Rapid7 says.
The company has released indicators of compromise tied to the attacks. While it hasn't attributed the attacks to any individual or group, it says the
ooshirts.com site was first used last March in malicious attacks.
Regardless of which ColdFusion flaws attackers might now be targeting, "we strongly advise ColdFusion customers to update to the latest version to remediate known risk," Rapid7 says. "We also advise customers to examine their environments for signs of compromise."
Old-School Web Pedigree
For some people, ColdFusion might sound like a blast from the past, given that it was first released nearly 30 years ago by Allaire in 1995. It was acquired in 2001 by Macromedia, which was itself acquired by Adobe in 2005.
After the release of Adobe ColdFusion 11 in 2014, Adobe began naming new versions of the software after the release year: 2016, 2018, 2021.
The rapid web application development platform continues to be widely used, and Adobe is preparing ColdFusion 2023. The software comes in standard, enterprise, developer and Docker editions.
Only 0.3% of public-facing websites for which the server-side programming language used to build them could be identified use ColdFusion, reports web technology market researcher W3Techs.
Organizations running sites built using ColdFusion, it says, include technology giants Oracle and Verisign; the U.S. Food and Drug Administration and Environmental Protection Agency; Cornell University and the University California, Irvine; and publications Financial Times and Scientific American.
From a security standpoint, as is typical with any software, not all ColdFusion users keep their installations updated.
Security firm Sophos detailed a 2021 investigation into a ransomware attack at an organization that it said began with attackers exploiting two publicly known ColdFusion vulnerabilities that had been patched in 2009 and 2010. It said the organization was still running Adobe ColdFusion 9 software - which, at that time, was 11 years old and thoroughly unsupported - on a server running the Windows Server 2008 operating system, which Microsoft had classified as being end-of-life in January 2020.