CVE-2023-26347

HIGH EXPLOITED NUCLEI

Adobe ColdFusion <2023.5-2021.11 - Auth Bypass

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-26347 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An unauthenticated attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.

Nuclei Templates (1)

Adobe Coldfusion - Authentication Bypass
HIGHVERIFIEDby salts
Shodan: http.component:"Adobe ColdFusion" || http.component:"adobe coldfusion" || http.title:"coldfusion administrator login" || cpe:"cpe:2.3:a:adobe:coldfusion"
FOFA: app="Adobe-ColdFusion" || app="adobe-coldfusion" || title="coldfusion administrator login"

References (1)

Core 1
Core References
Release Notes, Vendor Advisory vendor-advisory
https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html

Scores

CVSS v3 7.5
EPSS 0.1007
EPSS Percentile 95.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

VulnCheck KEV 2024-05-06
CWE
CWE-284
Status published
Products (3)
adobe/coldfusion 2021 (12 CPE variants)
adobe/coldfusion 2023 (6 CPE variants)
adobe/coldfusion < 2021
Published Nov 17, 2023
Tracked Since Feb 18, 2026