CVE-2023-26360

HIGH KEV NUCLEI

Adobe ColdFusion <2018 Update 15, 2021 Update 5 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-26360 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 15, 2023. EIP tracks 8 public exploits from researchers including yosef0x01, jakabakos, H3rm1tR3b0rn, including a Metasploit module auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-26360, an arbitrary file read vulnerability in Adobe ColdFusion. The exploit leverages a deserialization flaw in the `utils.cfc` endpoint to read arbitrary files from the target system.

Description

Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction.

Exploits (8)

nomisec WORKING POC 5 stars
by yosef0x01 · infoleak
https://github.com/yosef0x01/CVE-2023-26360

This repository contains a functional exploit for CVE-2023-26360, an arbitrary file read vulnerability in Adobe ColdFusion. The exploit leverages a deserialization flaw in the `utils.cfc` endpoint to read arbitrary files from the target system.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Adobe ColdFusion (versions affected by CVE-2023-26360)
No auth needed
Prerequisites: Network access to the ColdFusion server · Knowledge of the target file path
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 5 stars
by jakabakos · remote
https://github.com/jakabakos/CVE-2023-26360-adobe-coldfusion-rce-exploit

This repository contains a functional exploit for CVE-2023-26360, targeting Adobe ColdFusion's deserialization vulnerability. The exploit includes both file read and remote command execution capabilities via crafted HTTP requests to the ColdFusion endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe ColdFusion (versions affected by CVE-2023-26360)
No auth needed
Prerequisites: Network access to the ColdFusion server · ColdFusion server with vulnerable endpoint exposed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by H3rm1tR3b0rn · remote
https://github.com/H3rm1tR3b0rn/CVE-2023-26360-RCE

This repository contains a functional exploit for CVE-2023-26360, a remote code execution vulnerability in Adobe ColdFusion 2021. The exploit leverages deserialization via a malicious CFC endpoint to execute arbitrary Java code, fetching a payload from an attacker-controlled server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe ColdFusion 2021
No auth needed
Prerequisites: Network access to ColdFusion server · Ability to host a malicious payload server · ColdFusion 2021 with vulnerable endpoint exposed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by CuriousLearnerDev · poc
https://github.com/CuriousLearnerDev/ColdFusion_EXp

This repository contains a functional exploit for CVE-2023-26360, leveraging ColdFusion's logging mechanism to achieve remote code execution by writing malicious payloads to `coldfusion-out.log` and executing them via classname manipulation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe ColdFusion
No auth needed
Prerequisites: Network access to vulnerable ColdFusion server · Ability to send HTTP requests to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by joaoaugustom · remote
https://github.com/joaoaugustom/Adobe_ColdFusion_RCE_Unauthenticated

This repository contains a functional Python exploit for CVE-2023-26360, an unauthenticated RCE vulnerability in Adobe ColdFusion. The exploit leverages a two-step mechanism: log poisoning via malformed CFML injection and subsequent template execution via classname deserialization.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe ColdFusion 2021 Update 5 and earlier, Adobe ColdFusion 2018 Update 15 and earlier
No auth needed
Prerequisites: Network access to the ColdFusion server · Vulnerable endpoint exposed
devstral-2 · analyzed May 17, 2026 Full analysis →
nomisec WORKING POC
by RyanRodrigues880 · remote
https://github.com/RyanRodrigues880/CVE-2023-26360

This repository contains a functional Python exploit for CVE-2023-26360, an unauthenticated RCE vulnerability in Adobe ColdFusion. The exploit includes payload generation for command execution, reverse shells, and URLClassLoader-based attacks, with methods to plant payloads via ColdFusion log injection.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe ColdFusion (CF 2021 ≤ Update 5, CF 2018 ≤ Update 15)
No auth needed
Prerequisites: Network access to ColdFusion server · ColdFusion server with vulnerable version
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC
by sf · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360.rb

This Metasploit module exploits CVE-2023-26360, an unauthenticated deserialization vulnerability in Adobe ColdFusion, to perform arbitrary file reads. It constructs a malicious JSON payload to manipulate the classname parameter, enabling file disclosure.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Adobe ColdFusion 2021 Update 5 and earlier, ColdFusion 2018 Update 15 and earlier
No auth needed
Prerequisites: Accessible ColdFusion Component (CFC) endpoint · Valid CFC method name
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by sf · rubypocjava
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/adobe_coldfusion_rce_cve_2023_26360.rb

This Metasploit module exploits CVE-2023-26360, an unauthenticated deserialization vulnerability in Adobe ColdFusion 2021 Update 5 and earlier, as well as ColdFusion 2018 Update 15 and earlier, to achieve remote code execution. It leverages a malicious CFML payload to trigger a URLClassLoader-based attack, delivering a Java or command-based payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe ColdFusion 2021 Update 5 and earlier, ColdFusion 2018 Update 15 and earlier
No auth needed
Prerequisites: Network access to the ColdFusion server · ColdFusion server with vulnerable version · Ability to send HTTP requests to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Adobe ColdFusion - Local File Read
HIGHVERIFIEDby DhiyaneshDK,7own
Shodan: http.component:"Adobe ColdFusion" || http.component:"adobe coldfusion" || http.title:"coldfusion administrator login" || cpe:"cpe:2.3:a:adobe:coldfusion"
FOFA: title="coldfusion administrator login" || app="adobe-coldfusion"

References (3)

Core 3

Scores

CVSS v3 8.6
EPSS 0.9433
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-03-15
VulnCheck KEV 2023-03-14
InTheWild.io 2023-03-15
ENISA EUVD EUVD-2023-30181
CWE
CWE-284
Status published
Products (2)
adobe/coldfusion 2018 (16 CPE variants)
adobe/coldfusion 2021 (6 CPE variants)
Published Mar 23, 2023
KEV Added Mar 15, 2023
Tracked Since Feb 18, 2026