CVE-2023-26360: Adobe ColdFusion — Deserialization RCE

Background

Adobe ColdFusion is a commercial web application platform that’s been around since 1995. Despite its age — or perhaps because of it — ColdFusion remains in production at government agencies, universities, and enterprises that built their web applications on it and haven’t migrated. It’s often described as “legacy” but that’s not fair to the people who have to keep running it: legacy or not, it processes real transactions and stores real data.

CVE-2023-26360 was patched in March 2023 but not before it was exploited in the wild against US federal agencies. CISA published a detailed advisory in June 2023 describing the exploitation, making this one of the better-documented examples of a deserialization attack against a government-facing web platform.

Technical Mechanism

ColdFusion includes a Java deserialization pathway — it’s a Java-based platform at its core, and various features accept serialised Java objects. The vulnerability is an improper access control issue that allows an unauthenticated attacker to reach a deserialization endpoint that should require authentication.

The attack path:

1. The attacker identifies a ColdFusion instance (often on port 8500, or proxied via Apache/IIS on port 80/443)
2. A crafted HTTP request to a specific endpoint that bypasses the ColdFusion authentication check reaches the Java deserialization handler
3. A serialized Java gadget chain (constructed using tools like ysoserial or exploiting ColdFusion’s own libraries) is sent as the request body
4. ColdFusion deserializes the object, triggering the gadget chain
5. The gadget chain executes arbitrary OS commands under ColdFusion’s service account

The CISA advisory described attackers creating webshells at specific file system paths, indicating they had precise knowledge of ColdFusion’s directory structure — suggesting prior preparation or existing knowledge of the target environment.

Real-World Exploitation Evidence

CISA’s June 2023 advisory documented specific exploitation against federal civilian executive branch (FCEB) agencies, making this one of the clearer cases of government targeting via this vulnerability. Key details from the advisory:

• Attackers exploited CVE-2023-26360 to drop webshells on federal agency servers
• Post-exploitation activity included network reconnaissance with ipconfig, whoami, net, and similar commands
• Attackers enumerated user groups and network shares
• Exfiltration of configuration files including neo-security.xml (which contains encrypted passwords)

The targeting of government ColdFusion instances specifically — rather than opportunistic mass exploitation — suggests this was planned, targeted activity, possibly by a state-sponsored group.

Impact Assessment

• Remote code execution on the web server
• Credential theft — neo-security.xml and similar ColdFusion config files contain encrypted passwords that can be cracked or used directly
• Database access — ColdFusion datasource configurations contain database credentials
• Webshell persistence — shells in web directories survive patches and server restarts
• Sensitive data exposure — ColdFusion applications often process PII, financial data, and other regulated information
• Network reconnaissance — ColdFusion servers are typically on the internal network; code execution provides a starting point for deeper penetration

Affected Versions

Note: Versions prior to ColdFusion 2018 are end-of-life and should be treated as permanently vulnerable.

Remediation Steps

1. Apply Adobe ColdFusion security updates immediately
2. If running ColdFusion 2016 or earlier — you need to migrate; these versions are EOL and will not receive patches
3. Review the CISA advisory for specific IOC file paths and filenames to search for
4. Check for unexpected .cfm or .jsp files in the web root:

   find /opt/coldfusion/ -name "*.cfm" -newer /opt/coldfusion/bin/cf9.jar -ls
   find /var/www/ -name "*.jsp" -ls

5. Review ColdFusion’s server.xml, neo-security.xml, and similar configuration files for any modifications
6. Check OS-level process list for unexpected child processes of the ColdFusion JVM
7. If neo-security.xml was accessed, treat all passwords in it as compromised and rotate them
8. Restrict access to ColdFusion’s administrator panel (/CFIDE/administrator/) to trusted IPs only

Detection Guidance

ColdFusion logs — look in [ColdFusion install dir]/logs/ for:

• Requests to unexpected endpoints
• Java exceptions related to deserialization
• Web requests from IPs that didn’t previously access the server

CISA-identified IOC paths:

• C:\ColdFusion\wwwroot\CFIDE\wizards\common\_logintowizard.cfm (webshell)
• C:\ColdFusion8\wwwroot\CFIDE\administrator\analyzer\index.cfm (webshell)

Suricata signature:

alert http any any -> any $HTTP_PORTS (msg:"Adobe ColdFusion CVE-2023-26360 Deserialization Attempt"; flow:established,to_server; http.uri; content:"/CFIDE/"; classtype:web-application-attack; sid:2034013; rev:1;)

Windows Event Logs — look for process creation (Event ID 4688) with ColdFusion JVM as parent process spawning cmd.exe, powershell.exe, or other executables.

Timeline