Security News > 2023 > July > Adobe emergency patch fixes new ColdFusion zero-day used in attacks
Adobe released an emergency ColdFusion security update that fixes critical vulnerabilities, including a fix for a new zero-day exploited in attacks.
Adobe says the CVE-2023-38205 flaw was abused in limited attacks.
"Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion," explains the Adobe security bulletin.
The CVE-2023-38205 flaw is a patch bypass for the fix for CVE-2023-29298, a ColdFusion authentication bypass discovered by Rapid7 researchers Stephen Fewer on July 11th. On July 13th, Rapid7 observed attackers chaining exploits for the CVE-2023-29298 and what appeared to be the CVE-2023-29300/CVE-2023-38203 flaws to install webshells on vulnerable ColdFusion servers to gain remote access to devices.
Critical ColdFusion flaws exploited in attacks to drop webshells.
Google fixes new Chrome zero-day flaw with exploit in the wild.
News URL
Related news
- Microsoft September 2024 Patch Tuesday fixes 4 zero-days, 79 flaws (source)
- Patch Tuesday for September 2024: Microsoft Catches Four Zero-Day Vulnerabilities (source)
- Adobe fixes Acrobat Reader zero-day with public PoC exploit (source)
- Adobe fixed Acrobat bug, neglected to mention whole zero-day exploit thing (source)
- Windows vulnerability abused braille “spaces” in zero-day attacks (source)
- Microsoft confirms IE bug squashed in Patch Tuesday was exploited zero-day (source)
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)
- Rackspace monitoring data stolen in ScienceLogic zero-day attack (source)
- Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit (source)
- Over 4,000 Adobe Commerce, Magento shops hacked in CosmicSting attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-09-14 | CVE-2023-38205 | Unspecified vulnerability in Adobe Coldfusion 2018/2021/2023 Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. | 7.5 |
2023-07-20 | CVE-2023-38203 | Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 2018/2021/2023 Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. | 9.8 |
2023-07-12 | CVE-2023-29300 | Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 2018/2021/2023 Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. | 9.8 |
2023-07-12 | CVE-2023-29298 | Unspecified vulnerability in Adobe Coldfusion 2018/2021 Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. | 7.5 |