The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on March 15 added a security vulnerability impacting Adobe ColdFusion to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The critical flaw in question is CVE-2023-26360 (CVSS score: 8.6), which could be exploited by a threat actor to achieve arbitrary code execution. "Adobe ColdFusion contains an improper access control vulnerability that allows for remote code execution," CISA said. The vulnerability impacts ColdFusion 2018 (Update 15 and earlier versions) and ColdFusion 2021 (Update 5 and earlier versions). It has been addressed in versions Update 16 and Update 6, respectively, released on March 14, 2023. It's worth noting that CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations, both of which are no longer supported by the software company as they have reached end-of-life (EoL). While the exact details surrounding the nature of the attacks are unknown, Adobe said in an advisory that it's aware of the flaw being "exploited in the wild in very limited attacks." This news is a reminder that even if you're not using the most up-to-date software, you can still be at risk for attack. Outdated software is one of the many vulnerabilities that hackers can exploit to gain access to company data. That's why it's so important to have a comprehensive security plan that includes monitoring for third-party app access to your SaaS apps. If you're not sure where to start, join our webinar to learn about the types of permissions being granted and how to minimize risk.