Adobe warns customers of a critical ColdFusion RCE exploited in attacks

Adobe is warning customers of a critical ColdFusion pre-authentication RCE bug, tracked as CVE-2023-29300, which is actively exploited.

Adobe warns customers of a critical ColdFusion pre-authentication remote code execution vulnerability, tracked as CVE-2023-29300 (CVSS score 9.8), that is actively exploited in attacks in the wild.

“Adobe is aware that CVE-2023-29300 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion,” reads a statement sent by the company to its customers.

An unauthenticated visitor can exploit the vulnerability to remotely execute commands on vulnerable Coldfusion 2018, 2021, and 2023 servers.

The issue is a deserialization of untrusted data that was discovered by the security researcher Nicolas Zilio from CrowdStrike.

Adobe has not disclosed the technical details of the issue either the way threat actors exploited it in the wild.

Adobe addressed a total of three vulnerabilities in ColdFusion, below the complete list of fixed issues:

Vulnerability Details

Vulnerability Category	Vulnerability Impact	Severity	CVSS base score	CVSS vector	CVE Numbers
Improper Access Control (CWE-284)	Security feature bypass	Critical	7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	CVE-2023-29298
Deserialization of Untrusted Data (CWE-502)	Arbitrary code execution	Critical	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	CVE-2023-29300
Improper Restriction of Excessive Authentication Attempts (CWE-307)	Security feature bypass	Important	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	CVE-2023-29301

In March 2023, U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability in Adobe ColdFusion, tracked as CVE-2023-26360 (CVSS score: 8.6), to its Known Exploited Vulnerabilities Catalog.

The flaw is an Improper Access Control that can allow a remote attacker to execute arbitrary code. The vulnerability could also lead to arbitrary file system read and memory leak.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.