Security News > 2023 > July > Adobe emergency patch fixes new ColdFusion zero-day used in attacks
Adobe released an emergency ColdFusion security update that fixes critical vulnerabilities, including a fix for a new zero-day exploited in attacks.
Adobe says the CVE-2023-38205 flaw was abused in limited attacks.
"Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion," explains the Adobe security bulletin.
The CVE-2023-38205 flaw is a patch bypass for the fix for CVE-2023-29298, a ColdFusion authentication bypass discovered by Rapid7 researchers Stephen Fewer on July 11th. On July 13th, Rapid7 observed attackers chaining exploits for the CVE-2023-29298 and what appeared to be the CVE-2023-29300/CVE-2023-38203 flaws to install webshells on vulnerable ColdFusion servers to gain remote access to devices.
Critical ColdFusion flaws exploited in attacks to drop webshells.
Google fixes new Chrome zero-day flaw with exploit in the wild.
News URL
Related news
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included (source)
- Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack (source)
- Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks (source)
- Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack (source)
- Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days (source)
- Exploit released for Palo Alto PAN-OS bug used in attacks, patch now (source)
- CrushFTP warns users to patch exploited zero-day “immediately” (source)
- Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks (source)
- Google fixes fifth Chrome zero-day exploited in attacks this year (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-14 | CVE-2023-38205 | Unspecified vulnerability in Adobe Coldfusion 2018/2021/2023 Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. | 7.5 |
| 2023-07-20 | CVE-2023-38203 | Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 2018/2021/2023 Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. | 9.8 |
| 2023-07-12 | CVE-2023-29300 | Deserialization of Untrusted Data vulnerability in Adobe Coldfusion 2018/2021/2023 Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. | 9.8 |
| 2023-07-12 | CVE-2023-29298 | Unspecified vulnerability in Adobe Coldfusion 2018/2021 Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. | 7.5 |