Adobe ColdFusion Vulnerability Could Lead to Arbitrary Code Execution
CVE-2023-38203

9.8CRITICAL

Key Information:

Vendor
Adobe
Status
Coldfusion
Vendor
CVE Published:
20 July 2023

Badges

πŸ’° RansomwareπŸ‘Ύ Exploit Exists🟣 EPSS 35%πŸ¦… CISA ReportedπŸ“° News Worthy

Summary

Adobe ColdFusion is susceptible to a deserialization of untrusted data vulnerability in versions 2018u17 and earlier, 2021u7 and earlier, as well as 2023u1 and earlier. This flaw could allow attackers to execute arbitrary code on the server without needing any user interaction, posing significant security risks for deployments of these versions. It is crucial for users to apply available patches to mitigate potential exploitation of this vulnerability.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited and is known by the CISA as enabling ransomware campaigns.

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

ColdFusion 0

News Articles

πŸ”—Help Net Security

Adobe ColdFusion vulnerabilities exploited to deliver web shells (CVE-2023-29298, CVE-2023-38203) - Help Net Security

Attackers are exploiting 2 Adobe ColdFusion flaws (CVE-2023-29298, CVE-2023-38203) to breach servers and install web shells.

2 years ago

πŸ”—Ars Technica

Exploited 0-days, an incomplete fix, and a botched disclosure: Infosec snafu reigns

The exploited code-execution flaws are the kind coveted by ransomware and nation-state hackers.

2 years ago

πŸ”—TechTarget

Multiple Adobe ColdFusion flaws exploited in the wild | TechTarget

Multiple flaws in popular application server Adobe ColdFusion were exploited in the wild, including a zero-day that a vendor inadvertently published.

2 years ago

References

https://helpx.adobe.com/security/products/coldfusion/apsb...
vendor-advisory

EPSS Score

35% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ¦…

    CISA Reported

  • Vulnerability published

  • πŸ’°

    Used in Ransomware

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by SecurityWeek

  • Vulnerability Reserved

.