VULNERA Pulse

Adobe — ColdFusion

CVE-2023-29298 / Added: July 20, 2023

HIGH CVSS 7.50 EPSS Score 1.80 EPSS Percentile 86.49

Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass.

Headlines

• July 20, 2023 - Adobe Releases New Patches for Exploited ColdFusion Vulnerabilities
• July 20, 2023 - Adobe out-of-band update addresses an actively exploited ColdFusion zero-day
• July 20, 2023 - Adobe Rolls Out New Patches for Actively Exploited ColdFusion Vulnerability
• July 20, 2023 - Emergency patch for ColdFusion zero-day
• July 19, 2023 - Adobe emergency patch fixes new ColdFusion zero-day used in attacks
• July 19, 2023 - Adobe fixes patch bypass for exploited ColdFusion CVE-2023-29298 flaw
• July 19, 2023 - Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway
• July 18, 2023 - New Vulnerabilities Found in Adobe ColdFusion
• July 18, 2023 - Adobe ColdFusion vulnerabilities exploited to deliver web shells (CVE-2023-29298, CVE-2023-38203)
• July 18, 2023 - Two New Adobe ColdFusion Vulnerabilities Exploited in Attacks
• July 18, 2023 - Cybercriminals Exploiting WooCommerce Payments Plugin Flaw to Hijack Websites
• July 17, 2023 - Adobe warns of critical ColdFusion RCE bug exploited in attacks
• July 17, 2023 - Critical ColdFusion flaws exploited in attacks to drop webshells
• July 17, 2023 - Adobe warns of critical Colfdusion RCE bug exploited in attacks
• July 11, 2023 - July’s Patch Tuesday: A rich harvest

Back to top ↑

Adobe — ColdFusion

CVE-2023-38205 / Added: July 20, 2023

CVSS Not Assigned

Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass.

Headlines

• July 20, 2023 - Adobe Releases New Patches for Exploited ColdFusion Vulnerabilities
• July 20, 2023 - Adobe out-of-band update addresses an actively exploited ColdFusion zero-day
• July 20, 2023 - Adobe Rolls Out New Patches for Actively Exploited ColdFusion Vulnerability
• July 20, 2023 - Multiple Vulnerabilities in Adobe ColdFusion Could Allow for Arbitrary Code Execution
• July 20, 2023 - Emergency patch for ColdFusion zero-day
• July 19, 2023 - Adobe fixes patch bypass for exploited ColdFusion CVE-2023-29298 flaw
• July 19, 2023 - Adobe emergency patch fixes new ColdFusion zero-day used in attacks

Back to top ↑

Citrix — NetScaler ADC and NetScaler Gateway

CVE-2023-3519 / Added: July 19, 2023

CRITICAL CVSS 9.80 EPSS Score 2.22 EPSS Percentile 87.98

Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.

Headlines

• July 21, 2023 - CISA: Citrix RCE bug exploited to breach critical infrastructure org
• July 21, 2023 - Netscaler ADC bug exploited to breach US critical infrastructure org
• July 21, 2023 - Citrix ADC zero-day exploitatation: CISA releases details about attack on CI organization (CVE-2023-3519)
• July 21, 2023 - Citrix Zero-Day Exploited Against Critical Infrastructure Organization
• July 21, 2023 - Citrix NetScaler ADC and Gateway Devices Under Attack: CISA Urges Immediate Action
• July 20, 2023 - Attackers Exploit Citrix Zero-Day Bug to Pwn NetScaler ADC, Gateway
• July 20, 2023 - CISA Releases Cybersecurity Advisory on Threat Actors Exploiting Citrix CVE-2023-3519 | CISA
• July 20, 2023 - Multiple Vulnerabilities in Citrix Products Could Allow for Remote Code Execution
• July 19, 2023 - Exploitation of New Citrix Zero-Day Likely to Increase, Organizations Warned
• July 19, 2023 - Citrix NetScaler zero-day exploited in the wild, patch is available (CVE-2023-3519)
• July 19, 2023 - Citrix warns of actively exploited zero-day in ADC and Gateway
• July 19, 2023 - Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway
• July 19, 2023 - Citrix zero-day vulnerability under attack
• July 19, 2023 - CVE-2023-3519: Critical Zero-Day Vulnerability in Citrix ADC and Gateway
• July 18, 2023 - New critical Citrix ADC and Gateway flaw exploited as zero-day
• July 18, 2023 - New critical Citrix ADC and Gateway flaw exploited as zero-days
• July 18, 2023 - Citrix Releases Security Updates for NetScaler ADC and Gateway | CISA

Back to top ↑

Microsoft — Office and Windows

CVE-2023-36884 / Added: July 17, 2023

HIGH CVSS 8.80 EPSS Score 49.92 EPSS Percentile 97.04

Microsoft Office and Windows contain an unspecified vulnerability that allows an attacker to perform remote code execution via a specially crafted Microsoft Office document.

Headlines

• July 20, 2023 - Kanti: A NIM-Based Ransomware Unleashed in the Wild
• July 18, 2023 - CISA Adds Office 0-Day Flaw (CVE-2023-36884) to its KEV Catalog
• July 18, 2023 - CISA orders govt agencies to mitigate Windows and Office zero-days
• July 16, 2023 - Week in review: Malware delivery via Microsoft Teams, law firms under cyberattack, CVSS 4.0 is out
• July 14, 2023 - Four zero-days make July 's Patch Tuesday a 'patch now' update
• July 13, 2023 - Trojanized Application Preying on TeamViewer Users
• July 13, 2023 - Windows Users Warned To Update Now As Microsoft Confirms New Zero-Day Exploits
• July 12, 2023 - Microsoft Discloses 5 Bugs in Active Exploit; Only Patches 4
• July 12, 2023 - Poultice on a wooden leg: Microsoft patches IE, again | official blog
• July 12, 2023 - Chinese Cyberspies Used Forged Authentication Tokens to Hack Government Emails
• July 12, 2023 - Microsoft Zero Day Vulnerability CVE-2023-36884 Being Actively Exploited
• July 12, 2023 - Microsoft Fixes Six Zero-Days This Patch Tuesday
• July 12, 2023 - Unpatched Office zero-day CVE-2023-36884 actively exploited in targeted attacks
• July 12, 2023 - Microsoft Releases Patches for 130 Vulnerabilities, Including 6 Under Active Attack
• July 12, 2023 - Microsoft scrambles zero-day fixes in bumper patch crop
• July 11, 2023 - Microsoft fixes 130 CVE-listed bugs, 5 flaws exploited
• July 11, 2023 - Apple & Microsoft Patch Tuesday, July 2023 Edition –
• July 11, 2023 - July 2023 Patch Tuesday: Updates and Analysis | CrowdStrike
• July 11, 2023 - Microsoft Discloses 5 Zero-Days in Voluminous July Security Update
• July 11, 2023 - Microsoft patches four exploited zero-days, but lags with fixes for a fifth (CVE-2023-36884)
• July 11, 2023 - Microsoft: Unpatched Office zero-day exploited in NATO summit attacks
• July 11, 2023 - Microsoft Warns of Office Zero-Day Attacks, No Patch Available
• July 11, 2023 - Microsoft July 2023 Patch Tuesday warns of 6 zero-days, 132 flaws

Back to top ↑

CVE-2023-3519

CRITICAL CVSS 9.80 EPSS Score 2.22 EPSS Percentile 87.98

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: July 19, 2023

Unauthenticated remote code execution

Vendor Impacted: Citrix

Products Impacted: Netscaler Gateway, Netscaler Application Delivery Contr, Netscaler Adc And Netscaler Gateway

Quotes

• In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement
• The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement
• In June 2023, threat actors exploited this vulnerability as a zero-day to drop a web shell on a critical infrastructure organization's non-production environment NetScaler ADC appliance
• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise
• This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action
• Exploits of CVE-2023-3519 on unmitigated appliances have been observed. Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible
• As a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy); or as an AAA virtual server
• Exploits of CVE-2023-3519 on unmitigated appliances have been observed

Headlines

• July 21, 2023 - CISA: Citrix RCE bug exploited to breach critical infrastructure org
• July 21, 2023 - Netscaler ADC bug exploited to breach US critical infrastructure org
• July 21, 2023 - Citrix ADC zero-day exploitatation: CISA releases details about attack on CI organization (CVE-2023-3519)
• July 21, 2023 - Citrix Zero-Day Exploited Against Critical Infrastructure Organization
• July 21, 2023 - Citrix NetScaler ADC and Gateway Devices Under Attack: CISA Urges Immediate Action
• July 20, 2023 - Attackers Exploit Citrix Zero-Day Bug to Pwn NetScaler ADC, Gateway
• July 20, 2023 - CISA Releases Cybersecurity Advisory on Threat Actors Exploiting Citrix CVE-2023-3519 | CISA
• July 20, 2023 - Multiple Vulnerabilities in Citrix Products Could Allow for Remote Code Execution
• July 19, 2023 - Exploitation of New Citrix Zero-Day Likely to Increase, Organizations Warned
• July 19, 2023 - Citrix NetScaler zero-day exploited in the wild, patch is available (CVE-2023-3519)
• July 19, 2023 - Citrix warns of actively exploited zero-day in ADC and Gateway
• July 19, 2023 - Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway
• July 19, 2023 - Citrix zero-day vulnerability under attack
• July 19, 2023 - CVE-2023-3519: Critical Zero-Day Vulnerability in Citrix ADC and Gateway
• July 18, 2023 - New critical Citrix ADC and Gateway flaw exploited as zero-day
• July 18, 2023 - New critical Citrix ADC and Gateway flaw exploited as zero-days
• July 18, 2023 - Citrix Releases Security Updates for NetScaler ADC and Gateway | CISA

CVE-2023-38203

CRITICAL CVSS 9.80

Risk Context N/A

Published: July 20, 2023

Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

Vendor Impacted: Adobe

Product Impacted: Coldfusion

Quotes

• Exploited in the wild in limited attacks
• Adobe has released security updates for ColdFusion versions 2023, 2021 and 2018. These updates resolve critical  and moderate vulnerabilities that could lead to arbitrary code execution and security feature bypass
• Based on available evidence, threat actors appear to be exploiting CVE-2023-29298 in conjunction with a secondary vulnerability. The behavior our teams are observing appears to be consistent with CVE-2023-38203, which was published and then subsequently taken down by Project Discovery circa July 12
• Trivially modified exploit still works against the latest version of ColdFusion
• In conclusion, our analysis revealed a significant vulnerability in the WDDX deserialization process within Adobe ColdFusion 2021 (Update 6)
• Adobe is aware that a proof-of-concept blog was posted for CVE-2023-38203

Headlines

• July 20, 2023 - Adobe Releases New Patches for Exploited ColdFusion Vulnerabilities
• July 20, 2023 - Adobe out-of-band update addresses an actively exploited ColdFusion zero-day
• July 20, 2023 - Adobe Rolls Out New Patches for Actively Exploited ColdFusion Vulnerability
• July 19, 2023 - Adobe fixes patch bypass for exploited ColdFusion CVE-2023-29298 flaw
• July 19, 2023 - Adobe emergency patch fixes new ColdFusion zero-day used in attacks
• July 19, 2023 - Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway
• July 18, 2023 - New Vulnerabilities Found in Adobe ColdFusion
• July 18, 2023 - Adobe ColdFusion vulnerabilities exploited to deliver web shells (CVE-2023-29298, CVE-2023-38203)
• July 18, 2023 - Adobe Releases Security Updates for ColdFusion | CISA
• July 18, 2023 - Two New Adobe ColdFusion Vulnerabilities Exploited in Attacks
• July 18, 2023 - Cybercriminals Exploiting WooCommerce Payments Plugin Flaw to Hijack Websites
• July 17, 2023 - Adobe warns of critical Colfdusion RCE bug exploited in attacks
• July 17, 2023 - Adobe warns of critical ColdFusion RCE bug exploited in attacks
• July 17, 2023 - Critical ColdFusion flaws exploited in attacks to drop webshells
• July 17, 2023 - Exploitation of ColdFusion Vulnerability Reported as Adobe Patches Another Critical Flaw

CVE-2023-29300

CRITICAL CVSS 9.80 EPSS Score 2.28 EPSS Percentile 88.15

Actively Exploited

Published: July 12, 2023

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

Vendor Impacted: Adobe

Product Impacted: Coldfusion

Quotes

• Exploited in the wild in limited attacks
• Adobe has released security updates for ColdFusion versions 2023, 2021 and 2018. These updates resolve critical  and moderate vulnerabilities that could lead to arbitrary code execution and security feature bypass
• It’s highly likely that Project Discovery thought they were publishing an n-day exploit for CVE-2023-29300 [while], in actuality, what Project Discovery had detailed was a new zero-day exploit chain
• Trivially modified exploit still works against the latest version of ColdFusion
• Adobe is aware that CVE-2023-29300 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion
• In conclusion, our analysis revealed a significant vulnerability in the WDDX deserialization process within Adobe ColdFusion 2021 (Update 6)

Headlines

• July 20, 2023 - Adobe Releases New Patches for Exploited ColdFusion Vulnerabilities
• July 20, 2023 - Adobe out-of-band update addresses an actively exploited ColdFusion zero-day
• July 19, 2023 - Adobe emergency patch fixes new ColdFusion zero-day used in attacks
• July 19, 2023 - Adobe fixes patch bypass for exploited ColdFusion CVE-2023-29298 flaw
• July 18, 2023 - New Vulnerabilities Found in Adobe ColdFusion
• July 18, 2023 - Adobe ColdFusion vulnerabilities exploited to deliver web shells (CVE-2023-29298, CVE-2023-38203)
• July 18, 2023 - Two New Adobe ColdFusion Vulnerabilities Exploited in Attacks
• July 17, 2023 - Adobe warns customers of a critical ColdFusion RCE exploited in attacks
• July 17, 2023 - Critical ColdFusion flaws exploited in attacks to drop webshells
• July 17, 2023 - Adobe warns of critical ColdFusion RCE bug exploited in attacks
• July 17, 2023 - Adobe warns of critical Colfdusion RCE bug exploited in attacks
• July 17, 2023 - Exploitation of ColdFusion Vulnerability Reported as Adobe Patches Another Critical Flaw

CVE-2023-28121

CRITICAL CVSS 9.80 EPSS Score 72.77 EPSS Percentile 97.65

Actively Exploited Remote Code Execution Public Exploits Available

Published: April 12, 2023

An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.

Vendor Impacted: Automattic

Product Impacted: Woocommerce Payments

Quotes

• Unlike many other large-scale campaigns which typically attack millions of sites indiscriminately, this one seems to be targeted against a smaller set of websites
• Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023
• Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023
• Once the WP Console plugin is installed, attackers use it to execute malicious code and place a file uploader in order to establish persistence

Headlines

• July 19, 2023 - Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway
• July 18, 2023 - Attackers Pummel Millions of Websites via Critical WooCommerce Payments Flaw
• July 18, 2023 - WordPress Sites Hacked via Critical Vulnerability in WooCommerce Payments Plugin
• July 18, 2023 - Hacking campaign targets sites using WordPress WooCommerce Payments Plugin
• July 18, 2023 - WooCommerce Bug Exploited in Targeted WordPress Attacks
• July 18, 2023 - Cybercriminals Exploiting WooCommerce Payments Plugin Flaw to Hijack Websites
• July 17, 2023 - Hackers exploiting critical WordPress WooCommerce Payments bug
• July 17, 2023 - Massive Targeted Exploit Campaign Against WooCommerce Payments Underway

CVE-2023-3466

HIGH CVSS 8.30 EPSS Score 0.04 EPSS Percentile 7.03

Risk Context N/A

Published: July 19, 2023

Reflected Cross-Site Scripting (XSS)

Quotes

• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise
• This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action
• As a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy); or as an AAA virtual server

Headlines

• July 21, 2023 - CISA: Citrix RCE bug exploited to breach critical infrastructure org
• July 21, 2023 - Netscaler ADC bug exploited to breach US critical infrastructure org
• July 20, 2023 - Attackers Exploit Citrix Zero-Day Bug to Pwn NetScaler ADC, Gateway
• July 19, 2023 - Exploitation of New Citrix Zero-Day Likely to Increase, Organizations Warned
• July 19, 2023 - Citrix NetScaler zero-day exploited in the wild, patch is available (CVE-2023-3519)
• July 19, 2023 - Citrix warns of actively exploited zero-day in ADC and Gateway
• July 19, 2023 - Citrix zero-day vulnerability under attack
• July 19, 2023 - CVE-2023-3519: Critical Zero-Day Vulnerability in Citrix ADC and Gateway
• July 18, 2023 - New critical Citrix ADC and Gateway flaw exploited as zero-day
• July 18, 2023 - New critical Citrix ADC and Gateway flaw exploited as zero-days
• July 18, 2023 - Citrix Releases Security Updates for NetScaler ADC and Gateway | CISA

CVE-2023-3467

HIGH CVSS 8.00 EPSS Score 0.04 EPSS Percentile 7.03

Risk Context N/A

Published: July 19, 2023

Privilege Escalation to root administrator (nsroot)

Quotes

• These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise
• This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action
• As a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy); or as an AAA virtual server

Headlines

• July 21, 2023 - Netscaler ADC bug exploited to breach US critical infrastructure org
• July 21, 2023 - CISA: Citrix RCE bug exploited to breach critical infrastructure org
• July 20, 2023 - Attackers Exploit Citrix Zero-Day Bug to Pwn NetScaler ADC, Gateway
• July 19, 2023 - Exploitation of New Citrix Zero-Day Likely to Increase, Organizations Warned
• July 19, 2023 - Citrix NetScaler zero-day exploited in the wild, patch is available (CVE-2023-3519)
• July 19, 2023 - Citrix warns of actively exploited zero-day in ADC and Gateway
• July 19, 2023 - Citrix zero-day vulnerability under attack
• July 19, 2023 - CVE-2023-3519: Critical Zero-Day Vulnerability in Citrix ADC and Gateway
• July 18, 2023 - New critical Citrix ADC and Gateway flaw exploited as zero-days
• July 18, 2023 - New critical Citrix ADC and Gateway flaw exploited as zero-day
• July 18, 2023 - Citrix Releases Security Updates for NetScaler ADC and Gateway | CISA

CVE-2023-29298

HIGH CVSS 7.50 EPSS Score 1.80 EPSS Percentile 86.49

CISA Known Exploited

Published: July 12, 2023

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.

Vendor Impacted: Adobe

Product Impacted: Coldfusion

Quotes

• Exploited in the wild in limited attacks
• Adobe has released security updates for ColdFusion versions 2023, 2021 and 2018. These updates resolve critical  and moderate vulnerabilities that could lead to arbitrary code execution and security feature bypass
• Based on available evidence, threat actors appear to be exploiting CVE-2023-29298 in conjunction with a secondary vulnerability. The behavior our teams are observing appears to be consistent with CVE-2023-38203, which was published and then subsequently taken down by Project Discovery circa July 12
• Trivially modified exploit still works against the latest version of ColdFusion
• In conclusion, our analysis revealed a significant vulnerability in the WDDX deserialization process within Adobe ColdFusion 2021 (Update 6)

Headlines

• July 20, 2023 - Adobe Releases New Patches for Exploited ColdFusion Vulnerabilities
• July 20, 2023 - Adobe out-of-band update addresses an actively exploited ColdFusion zero-day
• July 20, 2023 - Adobe Rolls Out New Patches for Actively Exploited ColdFusion Vulnerability
• July 20, 2023 - Emergency patch for ColdFusion zero-day
• July 19, 2023 - Adobe emergency patch fixes new ColdFusion zero-day used in attacks
• July 19, 2023 - Adobe fixes patch bypass for exploited ColdFusion CVE-2023-29298 flaw
• July 19, 2023 - Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway
• July 18, 2023 - New Vulnerabilities Found in Adobe ColdFusion
• July 18, 2023 - Adobe ColdFusion vulnerabilities exploited to deliver web shells (CVE-2023-29298, CVE-2023-38203)
• July 18, 2023 - Two New Adobe ColdFusion Vulnerabilities Exploited in Attacks
• July 18, 2023 - Cybercriminals Exploiting WooCommerce Payments Plugin Flaw to Hijack Websites
• July 17, 2023 - Adobe warns of critical Colfdusion RCE bug exploited in attacks
• July 17, 2023 - Adobe warns of critical ColdFusion RCE bug exploited in attacks
• July 17, 2023 - Critical ColdFusion flaws exploited in attacks to drop webshells