UPDATE–Adobe has released a patch for a critical flaw in its ColdFusion web application development system that can lead to remote code execution.
The company said in its advisory that there is a proof-of-concept writeup available for the vulnerability (CVE-2023-38203), which affects ColdFusion 2018, 2021, and 2023. The vulnerability is the result of deserialization of untrusted data in ColdFusion.
“Successful exploitation of this vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights,” an advisory from the Center for Internet Security says.
The vulnerable versions are ColdFusion 2018 update 17 and earlier. 2021 update 7 and earlier, and 2023 update 1 and earlier.
Rapid7 researchers said they have seen attackers exploiting this vulnerability in the wild in conjunction with a second bug, an access control bypass flaw that Adobe patched on July 11. The latter vulnerability (CVE-2023-29298) is one that Rapid7 discovered and disclosed to Adobe in April. Soon after Adobe released the fix for it, Rapid7 managed services began seeing active exploitation of that bug, along with behavior that appeared to be consistent with exploitation of CVE-2023-38203).
“On July 13, Rapid7 managed services teams began observing exploitation of Adobe ColdFusion in multiple customer environments. Based on available evidence, threat actors appear to be exploiting CVE-2023-29298 in conjunction with a secondary vulnerability. The behavior our teams are observing appears to be consistent with CVE-2023-38203,” Caitlin Condon of Rapid7 said in a post detailing the exploit activity.
“Rapid7 researchers determined earlier today that the fix Adobe provided for CVE-2023-29298 on July 11 is incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion (released July 14). We have notified Adobe that their patch is incomplete. There is currently no mitigation for CVE-2023-29298, but the exploit chain Rapid7 is observing in the wild relies on a secondary vulnerability for full execution on target systems. Therefore, updating to the latest available version of ColdFusion that fixes CVE-2023-38203 should still prevent the attacker behavior our MDR team is observing.”
Enterprises should update to the fixed releases as soon as possible. Those releases are ColdFusion 2018 update 18, 2021 update 8, and 2023 update 2.
This story was updated on July 17 to add information from Rapid7.