Another Critical Adobe ColdFusion flaw reported in a week
Take action: Given the deluge of exploit chains in Adobe ColdFusion servers, taking the effort to patch your ColdFusion is more than reasonable. And don't delay, since the server is by it's nature exposed to the internet.
Learn More
Security researchers are reporting that hackers are currently actively exploiting two critical vulnerabilities found in ColdFusion.
The active exploitation of these vulnerabilities was first observed by researchers who discovered that threat actors are chaining exploits":
- an access control bypass vulnerability (CVE-2023-29298)
- in combination with a brand new remote code execution vulnerability (CVE-2023-38203).
On July 14th, Adobe released an out-of-band security update to address another vulnerability, CVE-2023-38203. Researchers believe that this vulnerability bypasses the fix for the previous CVE-2023-29298 flaw, as they identified a usable ColdFusion ga chain that could achieve remote code execution.
The updated security patch once again updates the deny list to block a specific gadget through the 'com.sun.rowset.JdbcRowSetImpl' class, which was used proof-of-concept exploit.
Attackers are taking advantage of these vulnerabilities to install webshells on compromised ColdFusion servers, granting them unauthorized remote access. The fact remains that CVE-2023-29300 vulnerability (and possibly CVE-2023-38203) can be combined with CVE-2023-29298 to bypass ColdFusion's lockdown mode, further increasing the risk of successful exploitation.
The attackers have been seen placing webshells in a specific folder on affected servers. As of now, there is no complete patch available for CVE-2023-29298, but exploitation of the vulnerability requires a second flaw, such as CVE-2023-38203. Therefore, updating ColdFusion to the latest version that fixes CVE-2023-38203 should effectively prevent the observed attacker behavior.
