Adobe has issued an emergency security update for its ColdFusion software, addressing several critical vulnerabilities, including a new zero-day exploit that has been used in attacks. The update includes fixes for three vulnerabilities: a critical remote code execution (RCE) bug, CVE-2023-38204, rated at 9.8; a critical Improper Access Control flaw, CVE-2023-38205, rated at 7.8; and a moderate Improper Access Control flaw, CVE-2023-38206, rated at 5.3.
Although CVE-2023-38204 is the most serious flaw patched in this update, it has not been exploited in the wild. The CVE-2023-38205 flaw, on the other hand, has been used in limited attacks. According to Adobe's security bulletin, 'Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion.'
The CVE-2023-38205 flaw is a patch bypass for the fix for CVE-2023-29298, a ColdFusion authentication bypass discovered by Rapid7 researchers Stephen Fewer on July 11th. By July 13th, Rapid7 had observed attackers exploiting the CVE-2023-29298 vulnerability and what appeared to be the CVE-2023-29300/CVE-2023-38203 flaws to install webshells on vulnerable ColdFusion servers, thereby gaining remote access to these devices.
On July 17th, Rapid7 found that the fix for the CVE-2023-29298 vulnerability could be bypassed and reported this to Adobe. Rapid7 explained, 'We have notified Adobe that their patch is incomplete.' Today, Adobe has confirmed that the fix for CVE-2023-29298 is included in APSB23-47 as the CVE-2023-38205 patch. Given that this vulnerability is being actively exploited in attacks to take over ColdFusion servers, it is strongly advised that website operators install the update as soon as possible.