Adobe Releases Urgent ColdFusion Security Update to Address Critical Zero-Day Exploits

July 19, 2023

Adobe has issued an emergency security update for its ColdFusion software, addressing several critical vulnerabilities, including a new zero-day exploit that has been used in attacks. The update includes fixes for three vulnerabilities: a critical remote code execution (RCE) bug, CVE-2023-38204, rated at 9.8; a critical Improper Access Control flaw, CVE-2023-38205, rated at 7.8; and a moderate Improper Access Control flaw, CVE-2023-38206, rated at 5.3.

Although CVE-2023-38204 is the most serious flaw patched in this update, it has not been exploited in the wild. The CVE-2023-38205 flaw, on the other hand, has been used in limited attacks. According to Adobe's security bulletin, 'Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion.'

The CVE-2023-38205 flaw is a patch bypass for the fix for CVE-2023-29298, a ColdFusion authentication bypass discovered by Rapid7 researchers Stephen Fewer on July 11th. By July 13th, Rapid7 had observed attackers exploiting the CVE-2023-29298 vulnerability and what appeared to be the CVE-2023-29300/CVE-2023-38203 flaws to install webshells on vulnerable ColdFusion servers, thereby gaining remote access to these devices.

On July 17th, Rapid7 found that the fix for the CVE-2023-29298 vulnerability could be bypassed and reported this to Adobe. Rapid7 explained, 'We have notified Adobe that their patch is incomplete.' Today, Adobe has confirmed that the fix for CVE-2023-29298 is included in APSB23-47 as the CVE-2023-38205 patch. Given that this vulnerability is being actively exploited in attacks to take over ColdFusion servers, it is strongly advised that website operators install the update as soon as possible.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.