Malicious actors have hacked two governmental servers running end-of-life software. The US cybersecurity agency CISA warns that cybercriminals are exploiting a vulnerability in discontinued Adobe ColdFusion versions and urges users to upgrade.

The first incident happened as early as June 26th, when threat actors gained access to a public-facing web server running an Adobe ColdFusion version from 2016. The server belonged to an unnamed Federal Civilian Executive Branch agency.

The hackers used an IP address that resolved to a public cloud service provider, which could host a large volume of legitimate traffic.

After performing connectivity and software checks, the cybercrooks were observed traversing the filesystem, uploading various artifacts, deleting files, and running web shells. Malicious code was inserted with the intent to extract username, password, and data source uniform resource locators, according to CISA’s advisory.

The second incident took place on June 2nd, when unknown hackers attacked another server of an unnamed governmental body. The server was running the ColdFusion version from 2021.

Malicious actors exploited the same critical vulnerability, CVE-2023-26360, with a base score of 9.8 out of 10. Older ColdFusion versions have an improper access control vulnerability, which allows cybercrooks to run arbitrary code without user interaction.

Using a different IP address, the hackers collected information about administrative user accounts and performed reconnaissance, discovering network configuration, logs, and user information.

The threat actors also dropped at least eight malicious artifacts, including a remote access trojan, and maintained persistence for a while, periodically testing network connectivity. They also tried to exfiltrate registry files multiple times, but these malicious activities were detected and quarantined.

“Had the attempt succeeded, the threat actors may have been able to change policies across compromised servers,” the Cybersecurity and Infrastructure Security Agency (CISA) noted.

Microsoft Defender for Endpoint alerted the agency’s pre-production environment about the potential Adobe ColdFusion vulnerability exploitation in both incidents.

The CISA encourages network defenders and critical infrastructure organizations to improve their cybersecurity posture and urges software manufacturers to incorporate secure-by-design and -default principles.

Those incidents could have been avoided if all software versions affected by the vulnerability had been upgraded. According to the CISA, internet-facing systems should be prioritized, and vulnerability scans should be automated or conducted continuously.

“Both servers were running outdated versions of software, which are vulnerable to various CVEs (Common vulnerabilities and exposures). Additionally, various commands were initiated by the threat actors on the compromised web servers; the exploited vulnerability allowed the threat actors to drop malware using HTTP POST commands to the directory path associated with ColdFusion,” the CISA noted.