Security News > 2023 > July > Adobe warns of critical Colfdusion RCE bug exploited in attacks
Adobe warns that a critical ColdFusion pre-authentication remote code execution vulnerability tracked as CVE-2023-29300 is actively exploited in attacks.
CVE-2023-29300 is rated as critical with a 9.8 severity rating, as it can be used by unauthenticated visitors to remotely execute commands on vulnerable Coldfusion 2018, 2021, and 2023 servers in low-complexity attacks.
As part of an email notification for a similar CVE-2023-38203 RCE flaw, Adobe also disclosed that CVE-2023-29300 was seen exploited in attacks.
"Adobe is aware that CVE-2023-29300 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion," reads an email notification seen by BleepingComputer.
While the details of how the vulnerability is exploited are currently unknown, a recently-removed technical blog post by Project Discovery was published last week that contains a proof-of-concept exploit for CVE-2023-29300.
"In conclusion, our analysis revealed a significant vulnerability in the WDDX deserialization process within Adobe ColdFusion 2021," explains the Project Discovery blog post.
News URL
Related news
- CISA warns critical Geoserver GeoTools RCE flaw is exploited in attacks (source)
- CISA warns critical SolarWinds RCE bug is exploited in attacks (source)
- RCE bug in widely used Ghostscript library now exploited in attacks (source)
- Critical vulnerability in the RADIUS protocol leaves networking equipment open to attack (source)
- Critical Windows licensing bugs, plus two others under attack, top Patch Tuesday (source)
- Critical Apache HugeGraph Vulnerability Under Attack - Patch ASAP (source)
- Progress warns of critical RCE bug in Telerik Report Server (source)
- Critical ServiceNow RCE flaws actively exploited to steal credentials (source)
- Progress fixes critical RCE flaw in Telerik Report Server, upgrade ASAP! (CVE-2024-6327) (source)
- Critical Apache OFBiz pre-auth RCE flaw fixed, update ASAP! (CVE-2024-38856) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-20 | CVE-2023-38203 | Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 2018/2021/2023 Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. | 9.8 |
| 2023-07-12 | CVE-2023-29300 | Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 2018/2021/2023 Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. | 9.8 |