CISA has confirmed that threat actors exploited a critical flaw (CVE-2023-26360) in Adobe ColdFusion, allowing arbitrary code execution on vulnerable systems. The issue affects ColdFusion 2018 (Update 15 and earlier), 2021 (Update 5 and earlier), and unsupported versions 2016 and 11. At least two public-facing servers at a Federal Civilian Executive Branch (FCEB) agency were compromised between June and July 2023.