On July 11, Adobe coordinated with the vendor to fix several ColdFusion vulnerabilities, including CVE-2023-29298.
But it’s been reported that there are two ColdFusion vulnerabilities that hackers are actively exploiting to perform the following illicit tasks:
- Bypass authentication
- Remotely execute commands
- Install webshells on vulnerable servers
Rapid7 detected Adobe ColdFusion exploitation on July 13, with threat actors leveraging “CVE-2023-29298” and a related unpublished vulnerability tracked as “CVE-2023-38203.”
Project Discovery mistakenly disclosed an n-day exploit for what they believed to be CVE-2023-29300, but Adobe fixed it in an out-of-band update on July 14.
The CVE-2023-29300 patch blocks specific class deserialization in ColdFusion’s WDDX data, preventing gadget-based attacks without breaking existing dependencies.
The Project Discovery authors identified a functional gadget, leveraging com.sun.rowset.JdbcRowSetImpl can achieve remote code execution as it’s not on Adobe’s Denylist.
Project Discovery unknowingly found a new zero-day flaw, leading Adobe to release an out-of-band patch on July 14, blocking the exploit by denying the classpath:
Rapid7 found Adobe’s patch for CVE-2023-29298 incomplete since a modified exploit still works in the latest ColdFusion version. While no mitigation exists, updating to the newest version fixing CVE-2023-38203 can prevent observed attacker behavior.
Below, we have mentioned the vulnerable versions of ColdFusion:
- Adobe ColdFusion 2023 Update 1
- Adobe ColdFusion 2021 Update 7 and below
- Adobe ColdFusion 2018 Update 17 and below
Patched versions of ColdFusion
Here below, we have mentioned all the patched versions of ColdFusion:
- Adobe ColdFusion 2023 Update 2
- Adobe ColdFusion 2021 Update 8
- Adobe ColdFusion 2018 Update 18
But all the above-mentioned versions are patched against CVE-2023-338203; they are still vulnerable to CVE-2023-29298.
Rapid7 researchers noticed several POST requests to use this exploit in IIS logs. y were all sent to “accessmanager.cfc.”
Here below, we have mentioned all the detection rules:
- Attacker Technique
- Attacker Tool
- Attacker Technique
- Suspicious Process
Moreover, cybersecurity analysts have strongly recommended that all users of Adobe ColdFusion immediately update their version to the latest one and also block the oastify(.)com domain.
Also, consider using the serialfilter.txt file in
- ckeditr(.)cfm (SHA256 08D2D815FF070B13A9F3B670B2132989C349623DB2DE154CE43989BB4BBB2FB1)