Adobe's ColdFusion web development software is to blame for the downtime of the US Government's National Vulnerability Database.
The malware infected two servers, and caused the National Institute for Standards and Technology to take the NVD database and other US government sites offline on Friday.
The servers were compromised for at least two months before a firewall detected mysterious outbound traffic. The malware used vulnerabilities in Adobe ColdFusion, for which a patch is now available.
Adobe issued a security advisory for ColdFusion on January 4, and a patch for it on January 15.
It gave the patch a priority-one rating, and said it was aware the vulnerabilities were being used in the wild.[...]