Adobe warns customers of a critical ColdFusion pre-authentication remote code execution vulnerability, tracked as CVE-2023-29300 (CVSS score 9.8), that is actively exploited in attacks in the wild.
“Adobe is aware that CVE-2023-29300 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion,” reads a statement sent by the company to its customers.
An unauthenticated visitor can exploit the vulnerability to remotely execute commands on vulnerable Coldfusion 2018, 2021, and 2023 servers.
The issue is a deserialization of untrusted data that was discovered by the security researcher Nicolas Zilio from CrowdStrike.
Adobe has not disclosed the technical details of the issue either the way threat actors exploited it in the wild.
Adobe addressed a total of three vulnerabilities in ColdFusion, below the complete list of fixed issues:
| Vulnerability Category | Vulnerability Impact | Severity | CVSS base score | CVSS vector | CVE Numbers |
| Improper Access Control (CWE-284) | Security feature bypass | Critical | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | CVE-2023-29298 |
| Deserialization of Untrusted Data (CWE-502) | Arbitrary code execution | Critical | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CVE-2023-29300 |
| Improper Restriction of Excessive Authentication Attempts (CWE-307) | Security feature bypass | Important | 5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N | CVE-2023-29301 |
In March 2023, U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability in Adobe ColdFusion, tracked as CVE-2023-26360 (CVSS score: 8.6), to its Known Exploited Vulnerabilities Catalog.
The flaw is an Improper Access Control that can allow a remote attacker to execute arbitrary code. The vulnerability could also lead to arbitrary file system read and memory leak.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Adobe)
Coinbase confirmed rogue contractors stole customer data and demanded a $20M ransom in a breach…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Fortinet vulnerability to its Known Exploited Vulnerabilities…
Kosovar citizen extradited to the US for running the cybercrime marketplace BlackDB.cc appeared in federal…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited…
Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited…
Microsoft Patch Tuesday security updates for May 2025 addressed 75 security flaws across multiple products, including…
This website uses cookies.
