Two New Adobe ColdFusion Vulnerabilities Exploited in Attacks

At least two recently disclosed Adobe ColdFusion vulnerabilities appear to have been exploited in the wild, including a flaw that security experts say has not been completely patched by the software giant.

Last week, Adobe informed customers about three critical ColdFusion vulnerabilities. First, on July 11, it announced patches for CVE-2023-29298, an improper access control issue that can lead to a security feature bypass, and CVE-2023-29300, a deserialization issue that can be exploited for arbitrary code execution.

Then, on July 14, the company announced patches for CVE-2023-38203, another deserialization issue that could lead to arbitrary code execution. 

In notification emails sent out to some customers, Adobe mistakenly said it was aware of attacks targeting CVE-2023-29300. There is no indication that this flaw has actually been exploited. 

However, cybersecurity firm Rapid7 reported on Monday that the other two vulnerabilities patched last week, CVE-2023-29298 and CVE-2023-38203, do in fact appear to have been exploited in the wild.

Rapid7’s analysis shows that CVE-2023-29298 has been chained with another vulnerability, likely CVE-2023-38203. In attacks observed by the firm, the attackers executed PowerShell commands to create a webshell that gives them access to the targeted endpoint.

CVE-2023-38203 was discovered by researchers at ProjectDiscovery, which published a blog post detailing the findings on July 12, before Adobe announced its patch. The blog post was then taken down and Rapid7 believes ProjectDiscovery thought they were actually disclosing  CVE-2023-29300, which had already been fixed by Adobe, but in reality their July 12 blog post detailed CVE-2023-38203, for which the vendor had yet to release a patch.

Indeed, Adobe noted when it announced patches for CVE-2023-38203 on July 14 that a proof-of-concept (PoC) blog post describing the security hole was available. 

Rapid7 warned that Adobe’s fix for one of the exploited vulnerabilities, CVE-2023-29298, is incomplete and a “trivially modified exploit still works against the latest version of ColdFusion”. The company has informed Adobe.

“There is currently no mitigation for CVE-2023-29298, but the exploit chain Rapid7 is observing in the wild relies on a secondary vulnerability for full execution on target systems. Therefore, updating to the latest available version of ColdFusion that fixes CVE-2023-38203 should still prevent the attacker behavior our MDR team is observing,” Rapid7 said.

The security firm’s blog post provides indicators of compromise (IoCs) and mitigation guidance. 

This is the second time in 2023 that users have been warned about attacks exploiting ColdFusion vulnerabilities. In March, Adobe informed customers about a zero-day being leveraged in very limited attacks. 

While ‘limited attacks’ could suggest exploitation by state-sponsored cyberspies in highly targeted operations, ColdFusion vulnerabilities have also been known to be exploited by cybercrime groups. 

CISA’s Known Exploited Vulnerabilities Catalog currently contains nine ColdFusion vulnerabilities, but it does not include these latest flaws. 

Related: Patch Tuesday: Critical Flaws in Adobe Commerce Software

Related: Adobe Patches 14 Vulnerabilities in Substance 3D Painter