The U.S. government’s CISA agency has added a flaw in Adobe’s ColdFusion program to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The agency describes the flaw as CVE-2023-26359 and notes that it allows an attacker to execute arbitrary code without requiring any interaction.
It can lead to unexpected consequences, such as code execution or denial-of-service attacks.
This comes five months after CISA placed another flaw impacting the same product in the KEV catalog.
Adobe says it’s aware of the weakness being exploited in very limited attacks but believes that it can only be used in very limited ways.
Its customers have been exploiting the weakness in very few instances.