CVE-2023-26359: 
Adobe ColdFusion 2018 vulnerability analysis and mitigation

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability (CVE-2023-26359) that could result in arbitrary code execution in the context of the current user. The vulnerability was discovered in February 2023 and publicly disclosed in March 2023. Notably, exploitation of this issue does not require user interaction (CVE Details).

The vulnerability is classified as a Deserialization of Untrusted Data (CWE-502) issue. It has received a CVSS v3.1 base score of 9.8 (Critical), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The scoring indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, and can result in high impacts to confidentiality, integrity, and availability (NVD).

The vulnerability allows attackers to execute arbitrary code in the context of the current user. Given the critical CVSS score and the potential for remote code execution, successful exploitation could lead to complete system compromise, allowing attackers to execute malicious code, access sensitive data, and potentially gain control of the affected system (AttackerKB).

Adobe has released security updates to address this vulnerability. Users should upgrade to ColdFusion 2018 Update 16 or ColdFusion 2021 Update 6. CISA has mandated federal agencies to apply the vendor patches by September 11, 2023 (Adobe Security Bulletin).