Critical Vulnerability in ColdFusion Addressed as Adobe Releases Another Key Patch

July 17, 2023

Adobe has released patches for a critical vulnerability in its ColdFusion software that could be exploited to execute arbitrary code. The vulnerability, known as CVE-2023-38203, has a CVSS score of 9.8 and is characterized as 'deserialization of untrusted data' in ColdFusion versions 2023, 2021, and 2018. This type of vulnerability generally allows an attacker to provide specially designed data that can trigger the arbitrary code execution, potentially leading to a full system compromise. Adobe has noted that a proof-of-concept blog for this vulnerability has been published online.

The company announced on Friday that the issue had been addressed with the release of updates for ColdFusion 2023, 2021, and 2018. The patches for CVE-2023-38203 were released just days after Adobe addressed another critical 'deserialization of untrusted data' bug in ColdFusion, identified as CVE-2023-29300, also with a CVSS score of 9.8.

The Zero Day Initiative's Dustin Childs has reported that the first attacks targeting CVE-2023-29300 have already been observed in the wild. His statement was, 'Adobe released another update for ColdFusion today and note CVE-2023-38203 had been publicly disclosed. They also now say CVE-2023-29300 (patched Tues.) has active attacks in the wild.'

Given these developments, users of ColdFusion are strongly recommended to install the latest security updates as soon as they can to protect their systems from potential attacks.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.