Connect with us

Hi, what are you looking for?



Two New Adobe ColdFusion Vulnerabilities Exploited in Attacks

At least two new Adobe ColdFusion vulnerabilities have been exploited in the wild, including one that has not been completely patched by the software giant.

Adobe ColdFusion vulnerability exploited

At least two recently disclosed Adobe ColdFusion vulnerabilities appear to have been exploited in the wild, including a flaw that security experts say has not been completely patched by the software giant.

Last week, Adobe informed customers about three critical ColdFusion vulnerabilities. First, on July 11, it announced patches for CVE-2023-29298, an improper access control issue that can lead to a security feature bypass, and CVE-2023-29300, a deserialization issue that can be exploited for arbitrary code execution.

Then, on July 14, the company announced patches for CVE-2023-38203, another deserialization issue that could lead to arbitrary code execution. 

In notification emails sent out to some customers, Adobe mistakenly said it was aware of attacks targeting CVE-2023-29300. There is no indication that this flaw has actually been exploited. 

However, cybersecurity firm Rapid7 reported on Monday that the other two vulnerabilities patched last week, CVE-2023-29298 and CVE-2023-38203, do in fact appear to have been exploited in the wild.

Rapid7’s analysis shows that CVE-2023-29298 has been chained with another vulnerability, likely CVE-2023-38203. In attacks observed by the firm, the attackers executed PowerShell commands to create a webshell that gives them access to the targeted endpoint.

CVE-2023-38203 was discovered by researchers at ProjectDiscovery, which published a blog post detailing the findings on July 12, before Adobe announced its patch. The blog post was then taken down and Rapid7 believes ProjectDiscovery thought they were actually disclosing  CVE-2023-29300, which had already been fixed by Adobe, but in reality their July 12 blog post detailed CVE-2023-38203, for which the vendor had yet to release a patch.

Advertisement. Scroll to continue reading.

Indeed, Adobe noted when it announced patches for CVE-2023-38203 on July 14 that a proof-of-concept (PoC) blog post describing the security hole was available. 

Rapid7 warned that Adobe’s fix for one of the exploited vulnerabilities, CVE-2023-29298, is incomplete and a “trivially modified exploit still works against the latest version of ColdFusion”. The company has informed Adobe.

“There is currently no mitigation for CVE-2023-29298, but the exploit chain Rapid7 is observing in the wild relies on a secondary vulnerability for full execution on target systems. Therefore, updating to the latest available version of ColdFusion that fixes CVE-2023-38203 should still prevent the attacker behavior our MDR team is observing,” Rapid7 said.

The security firm’s blog post provides indicators of compromise (IoCs) and mitigation guidance

This is the second time in 2023 that users have been warned about attacks exploiting ColdFusion vulnerabilities. In March, Adobe informed customers about a zero-day being leveraged in very limited attacks

While ‘limited attacks’ could suggest exploitation by state-sponsored cyberspies in highly targeted operations, ColdFusion vulnerabilities have also been known to be exploited by cybercrime groups

CISA’s Known Exploited Vulnerabilities Catalog currently contains nine ColdFusion vulnerabilities, but it does not include these latest flaws. 

Related: Patch Tuesday: Critical Flaws in Adobe Commerce Software

Related: Adobe Patches 14 Vulnerabilities in Substance 3D Painter

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.