CVE-2023-26347: 
Adobe ColdFusion 2021 vulnerability analysis and mitigation

Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Improper Access Control vulnerability identified as CVE-2023-26347. The vulnerability was discovered by Matthew Galligan and Jon Cagan from CISA and was publicly disclosed on November 17, 2023. This security flaw could result in a security feature bypass, potentially compromising the system's security controls (NVD CVE, Adobe Advisory).

The vulnerability is classified as an Improper Access Control issue (CWE-284). It has received a CVSS v3.1 Base Score of 7.5 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This scoring indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges, and requires no user interaction (NVD CVE).

The vulnerability allows an unauthenticated attacker to access the administration CFM and CFC endpoints. This access could lead to unauthorized control over administrative functions and potential compromise of the ColdFusion server's security (NVD CVE, Fortiguard Report).

Adobe has released patches to address this vulnerability. Organizations are strongly advised to upgrade their ColdFusion installations to the latest version. FortiGuard Labs has implemented an IPS signature named 'Adobe.ColdFusion.IPFilterUtils.Authentication.Bypass' to protect against exploitations of this vulnerability since August 2023. Additionally, organizations should scan their environment for vulnerable servers and follow vendor-recommended best practices (Fortiguard Report).