Security News > 2023 > July > Critical ColdFusion flaws exploited in attacks to drop webshells

Critical ColdFusion flaws exploited in attacks to drop webshells
2023-07-17 16:26

Hackers are actively exploiting two ColdFusion vulnerabilities to bypass authentication and remotely execute commands to install webshells on vulnerable servers.

The active exploitation was seen by researchers at Rapid7, which says threat actors are chaining together exploits for an access control bypass vulnerability and what appears to be CVE-2023-38203, a critical remote code execution vulnerability.

On July 11th, Adobe disclosed a ColdFusion authentication bypass tracked as CVE-2023-29298, discovered by Rapid7 researchers Stephen Fewer, and a pre-auth RCE vulnerability tracked as CVE-2023-29300, discovered by CrowdStrike researcher Nicolas Zilio.

CVE-2023-29300 is a deserialization vulnerability rated as critical with a 9.8 severity rating, as it can be used by unauthenticated visitors to remotely execute commands on vulnerable Coldfusion 2018, 2021, and 2023 servers in low-complexity attacks.

While the vulnerability was not exploited then, a recently-removed technical blog post by Project Discovery was published on July 12th that contains a proof-of-concept exploit for CVE-2023-29300.

The attackers use these exploits to bypass security and install webshells on vulnerable ColdFusion servers to gain remote access to devices.


News URL

https://www.bleepingcomputer.com/news/security/critical-coldfusion-flaws-exploited-in-attacks-to-drop-webshells/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-07-20 CVE-2023-38203 Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 2018/2021/2023
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution.
network
low complexity
adobe CWE-502
critical
9.8
2023-07-12 CVE-2023-29300 Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 2018/2021/2023
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution.
network
low complexity
adobe CWE-502
critical
9.8
2023-07-12 CVE-2023-29298 Unspecified vulnerability in Adobe Coldfusion 2018/2021
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass.
network
low complexity
adobe
7.5