The US CISA added a critical flaw CVE-2023-26359 with a CVSS score 9.8 affecting Adobe ColdFusion to its Known Exploited Vulnerabilities Catalog.
Adobe fixed the vulnerability in March 2023. It is a deserialization of untrusted data issue in Adobe ColdFusion that can lead to arbitrary code execution in the context of the current user.
The exploitation of this issue does not require user interaction.
Adobe is aware of very limited attacks in the wild, exploiting this ColdFusion flaw
CISA orders federal agencies to fix this flaw by September 11, 2023.