Hackers Actively Exploit Multiple Adobe ColdFusion Vulnerabilities

On July 11, Adobe coordinated with the vendor to fix several ColdFusion vulnerabilities, including CVE-2023-29298.

But it’s been reported that there are two ColdFusion vulnerabilities that hackers are actively exploiting to perform the following illicit tasks:

Bypass authentication
Remotely execute commands
Install webshells on vulnerable servers

Rapid7 detected Adobe ColdFusion exploitation on July 13, with threat actors leveraging “CVE-2023-29298” and a related unpublished vulnerability tracked as “CVE-2023-38203.”

Active exploitation

Project Discovery mistakenly disclosed an n-day exploit for what they believed to be CVE-2023-29300, but Adobe fixed it in an out-of-band update on July 14.

The CVE-2023-29300 patch blocks specific class deserialization in ColdFusion’s WDDX data, preventing gadget-based attacks without breaking existing dependencies.

The Project Discovery authors identified a functional gadget, leveraging com.sun.rowset.JdbcRowSetImpl can achieve remote code execution as it’s not on Adobe’s Denylist.

Project Discovery unknowingly found a new zero-day flaw, leading Adobe to release an out-of-band patch on July 14, blocking the exploit by denying the classpath:

!com[.]sun.rowset.**

Rapid7 found Adobe’s patch for CVE-2023-29298 incomplete since a modified exploit still works in the latest ColdFusion version. While no mitigation exists, updating to the newest version fixing CVE-2023-38203 can prevent observed attacker behavior.

Affected Products

Below, we have mentioned the vulnerable versions of ColdFusion:

Adobe ColdFusion 2023 Update 1
Adobe ColdFusion 2021 Update 7 and below
Adobe ColdFusion 2018 Update 17 and below

Patched versions of ColdFusion

Here below, we have mentioned all the patched versions of ColdFusion:

Adobe ColdFusion 2023 Update 2
Adobe ColdFusion 2021 Update 8
Adobe ColdFusion 2018 Update 18

But all the above-mentioned versions are patched against CVE-2023-338203; they are still vulnerable to CVE-2023-29298.

Rapid7 researchers noticed several POST requests to use this exploit in IIS logs. y were all sent to “accessmanager.cfc.”

Detection rules

Here below, we have mentioned all the detection rules:

Webshell
Attacker Technique
Attacker Tool
Attacker Technique
PowerShell
Suspicious Process

Mitigation

Moreover, cybersecurity analysts have strongly recommended that all users of Adobe ColdFusion immediately update their version to the latest one and also block the oastify[.]com domain.

Also, consider using the serialfilter.txt file in <cfhome>/lib to denylist packages with deserialization vulnerabilities, as advised in Adobe’s July 14 advisory.