Ongoing active abuse of a critical deserialization flaw in Adobe ColdFusion has prompted the security bug's inclusion in the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog, according to The Hacker News.
Malicious actors could target Adobe ColdFusion 2018 and ColdFusion 2021 instances susceptible to the already addressed vulnerability, tracked as CVE-2023-26359, to enable arbitrary code execution without any user interaction, which could then result in denial-of-service attacks and other forms of compromise. Such a flaw has already been leveraged in "very limited attacks" against ColdFusion, said Adobe, which has not provided further details regarding the nature of exploitation.
Meanwhile, federal agencies have been urged to remediate the flaw, which has been fixed by Adobe as part of a March update, by Sept. 11 to prevent potential compromise.
CISA has previously added an actively exploited Adobe ColdFusion vulnerability, tracked as CVE-2023-26360, to its KEV catalog in March.