Adobe Rushes Out Emergency Patch for ColdFusion Zero-Day Exploited in Attacks

July 19, 2023

Adobe has issued an emergency security update for its ColdFusion software, addressing several critical vulnerabilities, one of which is a new zero-day that has been exploited in attacks. The update was released outside of the regular patching schedule, indicating the severity of the vulnerabilities.

Among the vulnerabilities fixed are a critical remote code execution (RCE) flaw identified as CVE-2023-38204 with a severity rating of 9.8, a critical improper access control flaw, CVE-2023-38205, with a rating of 7.8, and a moderate improper access control flaw, CVE-2023-38206, with a rating of 5.3.

While CVE-2023-38204 is the most severe vulnerability patched in this update, it was not exploited in the wild. However, Adobe has confirmed that the CVE-2023-38205 flaw was used in limited attacks. In their security bulletin, Adobe stated, "Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion."

The CVE-2023-38205 flaw is a patch bypass for the fix for CVE-2023-29298, a ColdFusion authentication bypass discovered by Rapid7 researchers Stephen Fewer on July 11th. On July 13th, Rapid7 observed attackers exploiting the CVE-2023-29298 and what appeared to be the CVE-2023-29300/CVE-2023-38203 flaws to install webshells on vulnerable ColdFusion servers to gain remote access to devices.

On July 17th, Rapid7 discovered that the patch for the CVE-2023-29298 vulnerability could be bypassed and reported this to Adobe. In their report, Rapid7 stated, "Rapid7 researchers determined on Monday, July 17 that the fix Adobe provided for CVE-2023-29298 on July 11 is incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion (released July 14). We have notified Adobe that their patch is incomplete."

Adobe has now confirmed that the fix for the CVE-2023-29298 vulnerability is included in the APSB23-47 as the CVE-2023-38205 patch. As this vulnerability is being actively exploited to take control of ColdFusion servers, Adobe strongly recommends that website operators install the update as soon as possible.

Related News

• Critical Vulnerability in ColdFusion Addressed as Adobe Releases Another Key Patch

Latest News

• OpenSSH Addresses Remote Code Execution Vulnerability: CVE-2023-38408
• Recently Patched GE Cimplicity Vulnerabilities Echo Russian ICS Attacks
• Urgent Warning Issued for Citrix Zero-Day Exploit: A Rise in Attacks Expected
• Critical Vulnerability in Citrix ADC and Gateway Exploited in Zero-Day Attacks
• CISA Directs Government Agencies to Address Windows and Office Zero-Days