Connect with us

Hi, what are you looking for?



Adobe Releases New Patches for Exploited ColdFusion Vulnerabilities

Adobe releases a second round of patches for recent ColdFusion vulnerabilities, including flaws that have been exploited in attacks.

Adobe has released a second round of patches for some recently disclosed ColdFusion vulnerabilities, including flaws that appear to have been exploited in attacks.

On July 11, Adobe announced patches for CVE-2023-29298, an improper access control issue that can lead to a security feature bypass. On July 14, the company informed customers about fixes for CVE-2023-38203, a deserialization issue that could lead to arbitrary code execution.  

A few days later, cybersecurity firm Rapid7 reported seeing attacks aimed at ColdFusion users. The company’s analysis showed that the attackers had exploited CVE-2023-29298 and chained it with what appeared to be CVE-2023-38203.

Rapid7 pointed out at the time that Adobe’s patch for CVE-2023-29298 was incomplete and easy to bypass. 

On Wednesday, July 19, Adobe announced another ColdFusion update to patch three new CVEs. One of them, CVE-2023-38205, is the bypass for CVE-2023-29298.

The software giant warned in its advisory that CVE-2023-38205 has been “exploited in the wild in limited attacks”.

While ‘limited attacks’ could suggest exploitation by state-sponsored threat actors in highly targeted operations, ColdFusion vulnerabilities have also been known to be exploited by profit-driven cybercrime groups.  

Advertisement. Scroll to continue reading.

Adobe has yet to confirm that CVE-2023-38203 has also been exploited in the wild. 

CVE-2023-38203 was reported to Adobe by two parties, including researchers at open source security firm ProjectDiscovery. 

On July 12, ProjectDiscovery made public what they believed to be an analysis of CVE-2023-29300, another ColdFusion vulnerability that could lead to remote code execution. However, their analysis inadvertently also disclosed CVE-2023-38203, which at the time had yet to be patched — Adobe released patches on July 14. 

ProjectDiscovery quickly pulled its blog post after being notified by Adobe and on July 19 it re-published the post with clarifications. The company found that Adobe’s patch for CVE-2023-38203 was incomplete and one of Adobe’s latest ColdFusion fixes, for CVE-2023-38204, actually addresses that patch bypass. 

Adobe on Wednesday also released a patch for CVE-2023-38206, a ColdFusion vulnerability discovered by researcher Brian Reilly, who was recently also credited by Adobe for another ColdFusion flaw tracked as CVE-2023-29301. The timing suggests that CVE-2023-38206 may have been assigned after the patch for CVE-2023-29301 was bypassed. SecurityWeek has reached out to Reilly for confirmation and will update this article if he responds. 

UPDATE: Reilly told SecurityWeek that CVE-2023-38206 is unrelated to CVE-2023-29301.

Related: Patch Tuesday: Critical Flaws in Adobe Commerce Software

Related: Adobe Patches 14 Vulnerabilities in Substance 3D Painter

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.