AI Security AI安全 2d ago Updated 2d ago 更新于 2天前 42

CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws CISA敦促立即修补被利用的ColdFusion、Langflow和Joomla漏洞

CISA has added four critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation in the wild. Adobe ColdFusion CVE-2026-48282 (CVSS 10.0) involves a path traversal flaw allowing arbitrary code execution, patched shortly before exploitation began. Langflow CVE-2026-55255 (CVSS 9.9) is a cross-tenant IDOR vulnerability enabling unauthorized flow execution, chained with a previously patched RCE bug. Two Joomla extensions, SP Page Builder and Page Builder CISA警告Adobe ColdFusion、Langflow及两个Joomla扩展的漏洞已在野外被利用,并列入已知被利用漏洞(KEV)目录。 ColdFusion存在CVSS 10分的任意代码执行路径遍历漏洞(CVE-2026-48282),补丁发布后数天内即遭利用。 Langflow存在跨租户IDOR漏洞(CVE-2026-55255, CVSS 9.9),攻击者通过重放Flow ID结合已修复的RCE漏洞进行链式攻击。 两个Joomla扩展(SP Page Builder和Page Builder CK)存在CVSS 10分的未认证任意文件上传漏洞,导致远程代码执行(RCE)。 联邦机构

65
Hot 热度
60
Quality 质量
55
Impact 影响力

Analysis 深度分析

TL;DR

  • CISA has added four critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation in the wild.
  • Adobe ColdFusion CVE-2026-48282 (CVSS 10.0) involves a path traversal flaw allowing arbitrary code execution, patched shortly before exploitation began.
  • Langflow CVE-2026-55255 (CVSS 9.9) is a cross-tenant IDOR vulnerability enabling unauthorized flow execution, chained with a previously patched RCE bug.
  • Two Joomla extensions, SP Page Builder and Page Builder CK, contain critical unauthenticated file upload flaws leading to Remote Code Execution (RCE).

Why It Matters

This update highlights the accelerating timeline between patch release and active exploitation, particularly for widely used frameworks like Adobe ColdFusion and Langflow. For AI practitioners using Langflow, the specific chaining of IDOR with RCE underscores the necessity of strict input validation and access controls in LLM orchestration tools. Federal agencies face immediate compliance deadlines under BOD 26-04, emphasizing the critical need for rapid vulnerability management in enterprise environments.

Technical Details

  • Adobe ColdFusion (CVE-2026-48282): A path traversal vulnerability with a CVSS score of 10.0 that allows attackers to execute arbitrary code. It was flagged as exploited in the wild just days after Adobe issued patches on June 30.
  • Langflow (CVE-2026-55255): A cross-tenant Insecure Direct Object Reference (IDOR) with a CVSS score of 9.9. Attackers exploited this by harvesting flow UUIDs to execute flows belonging to other users. This was chained with CVE-2026-33017, a remote code execution bug patched in March, to facilitate deeper compromise. Patched in version 1.9.1.
  • SP Page Builder (CVE-2026-48908): An improper access control issue (CVSS 10.0) in the custom icon upload feature. Unauthenticated attackers can write files to the web root, leading to PHP code execution. Threat actors used this to plant hidden administrator accounts and PHP file manager backdoors. Patched in version 6.6.2.
  • Page Builder CK (CVE-2026-56290): An unauthenticated arbitrary file upload vulnerability (CVSS 10.0) resulting in RCE. Exploitation led to the deployment of web shells within hours of the fix release in version 3.6.0.

Industry Insight

  • Zero-Day Response Velocity: The rapid exploitation of ColdFusion and Joomla vulnerabilities demonstrates that threat actors are actively monitoring vendor patch notes. Organizations must prioritize patching critical infrastructure components immediately upon release, rather than waiting for proof-of-concept exploits to appear.
  • Supply Chain Security in AI Tools: The Langflow incident reveals that even specialized AI development platforms are susceptible to traditional web application vulnerabilities (IDOR, RCE). Developers using such tools must ensure they are running the latest versions and segment their environments to limit lateral movement.
  • Compliance Urgency: With CISA enforcing a July 10 deadline for federal agencies via BOD 26-04, non-federal organizations should treat these vulnerabilities as high-priority risks. Proactive remediation is essential to avoid becoming targets for the same attack chains observed in the wild.

TL;DR

  • CISA警告Adobe ColdFusion、Langflow及两个Joomla扩展的漏洞已在野外被利用,并列入已知被利用漏洞(KEV)目录。
  • ColdFusion存在CVSS 10分的任意代码执行路径遍历漏洞(CVE-2026-48282),补丁发布后数天内即遭利用。
  • Langflow存在跨租户IDOR漏洞(CVE-2026-55255, CVSS 9.9),攻击者通过重放Flow ID结合已修复的RCE漏洞进行链式攻击。
  • 两个Joomla扩展(SP Page Builder和Page Builder CK)存在CVSS 10分的未认证任意文件上传漏洞,导致远程代码执行(RCE)。
  • 联邦机构需在7月10日前修补所有四个弱点,其他组织也被建议尽快审查并修复KEV列表中的漏洞。

为什么值得看

本文揭示了当前AI开发工具(Langflow)和企业软件(ColdFusion)面临的高危安全威胁,强调了“补丁发布即被利用”的快速响应态势。对于依赖这些工具构建AI应用或管理企业基础设施的团队而言,及时识别并修复这些关键漏洞是保障业务连续性和数据安全的当务之急。

技术解析

  • Adobe ColdFusion (CVE-2026-48282):CVSS评分10/10。这是一个路径遍历漏洞,允许攻击者执行任意代码。该漏洞在Adobe于6月30日发布补丁后仅几天内就被标记为正在被利用。
  • Langflow (CVE-2026-55255):CVSS评分9.9。属于跨租户的不安全直接对象引用(IDOR)弱点。攻击者通过提供其他用户的Flow UUID来执行其工作流。实际攻击中,威胁行为者先进行主机侦察,获取Flow ID,触发IDOR,并与3月已修复的RCE漏洞(CVE-2026-33017)结合使用。补丁版本为1.9.1。
  • SP Page Builder (CVE-2026-48908):CVSS评分10/10。不正确的访问控制问题,允许未经身份验证的攻击者实现RCE。漏洞位于自定义图标上传功能,因将文件写入Web根目录且服务器执行根目录代码,导致PHP代码执行。补丁版本为6.6.2。攻击者利用此漏洞植入隐藏管理员账户和PHP后门。
  • Page Builder CK (CVE-2026-56290):CVSS评分10/10。未经身份验证的任意文件上传漏洞,导致底层Web服务器的RCE。补丁版本为3.6.0(6月27日发布)。攻击者在补丁发布几小时内就开始利用该漏洞植入Web Shell。

行业启示

  • AI工具供应链安全需加强:Langflow作为流行的LLM应用开发框架,其IDOR漏洞被利用表明,即使是新兴的AI开发工具也面临成熟的黑客攻击手法。开发者需关注基础组件的安全更新,并实施严格的输入验证和权限检查。
  • 零日/快速利用威胁常态化:多个漏洞在补丁发布后极短时间内(数天甚至数小时)即被利用,显示攻击者自动化程度高。组织必须建立快速的漏洞响应机制,优先处理CVSS 9.0以上的关键漏洞,并监控KEV列表。
  • Web应用防火墙与配置加固:针对Joomla等CMS插件的未认证RCE漏洞,强调了对Web根目录写权限的最小化原则。建议定期审计第三方插件的安全性,限制文件上传功能的权限,并部署WAF以拦截异常的文件上传请求。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Open Source 开源