# Critical vulnerabilities in Adobe Coldfusion (CVE-2023-26359, CVE-2023-26360 and CVE-2023-26359)
On March 8, 2023, Adobe released security updates to address critical vulnerabilities in Adobe ColdFusion, a popular web application development platform. These vulnerabilities, classified as **improper access control** and insecure deserialization lead to **unauthorized Remote Code Execution (RCE)** when an attacker sends a specially crafted request containing untrusted data to a ColdFusion server.
The exploitation does **not require user interaction**, making it particularly severe as it allows attackers to execute arbitrary code in the context of the current user without their knowledge.
The Cybersecurity and Infrastructure Security Agency (CISA) [highlighted](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a) the gravity of this issue on December 5, 2023, by releasing an advisory regarding the active exploitation of the issues. They noted that this vulnerability is being utilized by cyber threat actors to gain initial access to public-facing Adobe ColdFusion web servers. The most severe vulnerability has a **CVSS score of 9.8**, categorizing it as **Critical**.
So basically after some further investigation, three different issues were identified:
1. [CVE-2023-26359](https://nvd.nist.gov/vuln/detail/CVE-2023-26359): Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user.
2. [CVE-2023-26360](https://nvd.nist.gov/vuln/detail/CVE-2023-26360): Initially it was recognized as an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user, but later on Adobe changed it to Deserialization of Untrusted Data.
3. [CVE-2023-26361](https://nvd.nist.gov/vuln/detail/CVE-2023-26361): Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in Arbitrary file system read.
This exploit script is written for a CVE analysis on [vsociety]([https://www.vicarius.io/vsociety/](https://www.vicarius.io/vsociety/)).
## Usage
Help:
```text
usage: exploit.py [-h] --host HOST [--read-file READ_FILE] [--cmd CMD] [--endpoint ENDPOINT] [--win] [--proxy PROXY]
Exploit script for remote file read or command execution against Adobe ColdFusion (CVE-2023-26359, CVE-2023-26360, and CVE-2023-26359).
options:
-h, --help show this help message and exit
--host HOST Target host URL
--read-file READ_FILE, -f READ_FILE
File path to read from the host
--cmd CMD, -c CMD Command to execute on the target
--endpoint ENDPOINT Endpoint URL
--win Specify this if the target host is considered to be Windows.
--proxy PROXY Proxy URL
```
```bash
# Arbirary file read
python3 exploit.py --host http://localhost:8500 --read-file '../../../../etc/passwd'
# RCE
python3 exploit.py --host http://localhost:8500 --cmd 'CMD'
```
## Disclaimer
This exploit script has been created solely for the purposes of research and for the development of effective defensive techniques. It is not intended to be used for any malicious or unauthorized activities. The author and the owner of the script disclaim any responsibility or liability for any misuse or damage caused by this software. Users are urged to use this software responsibly and only in accordance with applicable laws and regulations. Use responsibly.
[4.0K] /data/pocs/fc7a1b5404b2cbdee065512576779478146e7d8e
├── [1.6K] detect.py
├── [4.4K] exploit.py
├── [3.4K] output.txt
└── [3.5K] README.md
0 directories, 4 files