Application Security , Governance & Risk Management , Next-Generation Technologies & Secure Development

Adobe Fixes ColdFusion Zero-Day - Again

Rework of Previous Update Available for ColdFusion Versions 2023, 2021 and 2018
Adobe Fixes ColdFusion Zero-Day - Again

Adobe released a fresh out-of-band security update to patch an improperly fixed ColdFusion zero-day vulnerability being actively exploited in the wild that allows attackers to bypass security controls. The update includes fixes for two other critical vulnerabilities.

See Also: Federal Agencies Tech Brief: Security Investigation, Detection and Rapid Response

The critical zero-day, tracked as CVE-2023-38205, with a CVSS score of 7.5, is an instance of improper access control that results in a security bypass. "Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion," Adobe's security bulletin says.

The zero-day affects the following versions:

  • ColdFusion 2023 - Update 2 and earlier versions
  • ColdFusion 2021 - Update 8 and earlier versions
  • ColdFusion 2018 - Update 18 and earlier versions

The Incomplete Fix

CVE-2023-38205 is a patch bypass for the incomplete fix for CVE-2023-29298, a ColdFusion authentication bypass discovered on July 11 by Rapid7 researcher Stephen Fewer.

Attackers used an exploit chain that capitalized on CVE-2023-29298 in the first part of the exploit and then used CVE-2023-29300/CVE-2023-38203 vulnerabilities to drop and run web shells on vulnerable ColdFusion servers to gain remote access to devices (see: Security Alert: Exploit Chain Actively Hits ColdFusion).

Adobe released an emergency patch to fix this vulnerability, but Rapid7 researchers determined on Monday that the fix is incomplete and said in its security blog that a trivially modified exploit still works against the latest version.

Rapid7 on Wednesday tested the latest patch bypass for CVE-2023-29298 and "has confirmed that the new patch works."

The security update addressed two other flaws including a critical deserialization vulnerability CVE-2023-38204, which has a CVSS score of 9.8 and could lead to remote code execution, and a second improper access control bug tracked as CVE-2023-38206, which could also lead to a security bypass but is not known to have been exploited in the wild. It is a moderate-severity bug with an average CVSS score of 5.3.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.