Hackers Actively Exploit Multiple Adobe ColdFusion Vulnerabilities

On July 11, Adobe coordinated with the vendor to fix several ColdFusion vulnerabilities, including CVE-2023-29298.

But it’s been reported that there are two ColdFusion vulnerabilities that hackers are actively exploiting to perform the following illicit tasks:

  • Bypass authentication
  • Remotely execute commands
  • Install webshells on vulnerable servers

Rapid7 detected Adobe ColdFusion exploitation on July 13, with threat actors leveraging “CVE-2023-29298” and a related unpublished vulnerability tracked as “CVE-2023-38203.”

Active exploitation

Project Discovery mistakenly disclosed an n-day exploit for what they believed to be CVE-2023-29300, but Adobe fixed it in an out-of-band update on July 14.

The CVE-2023-29300 patch blocks specific class deserialization in ColdFusion’s WDDX data, preventing gadget-based attacks without breaking existing dependencies.

The Project Discovery authors identified a functional gadget, leveraging com.sun.rowset.JdbcRowSetImpl can achieve remote code execution as it’s not on Adobe’s Denylist.

Project Discovery unknowingly found a new zero-day flaw, leading Adobe to release an out-of-band patch on July 14, blocking the exploit by denying the classpath:

  • !com[.]sun.rowset.**

Rapid7 found Adobe’s patch for CVE-2023-29298 incomplete since a modified exploit still works in the latest ColdFusion version. While no mitigation exists, updating to the newest version fixing CVE-2023-38203 can prevent observed attacker behavior.

Affected Products

Below, we have mentioned the vulnerable versions of ColdFusion:

  • Adobe ColdFusion 2023 Update 1
  • Adobe ColdFusion 2021 Update 7 and below
  • Adobe ColdFusion 2018 Update 17 and below

Patched versions of ColdFusion

Here below, we have mentioned all the patched versions of ColdFusion:

  • Adobe ColdFusion 2023 Update 2
  • Adobe ColdFusion 2021 Update 8
  • Adobe ColdFusion 2018 Update 18

But all the above-mentioned versions are patched against CVE-2023-338203; they are still vulnerable to CVE-2023-29298.

Rapid7 researchers noticed several POST requests to use this exploit in IIS logs. y were all sent to “accessmanager.cfc.”

POST requests (Source: – Rapid7)

Detection rules

Here below, we have mentioned all the detection rules:

  • Webshell
  • Attacker Technique
  • Attacker Tool
  • Attacker Technique
  • PowerShell
  • Suspicious Process

Mitigation

Moreover, cybersecurity analysts have strongly recommended that all users of Adobe ColdFusion immediately update their version to the latest one and also block the oastify[.]com domain.

Also, consider using the serialfilter.txt file in <cfhome>/lib to denylist packages with deserialization vulnerabilities, as advised in Adobe’s July 14 advisory.

IOCs

IP addresses:

  • 62.233.50[.]13
  • 5.182.36[.]4
  • 195.58.48[.]155

Domains:

  • oastify[.]com
  • ckeditr[.]cfm (SHA256 08D2D815FF070B13A9F3B670B2132989C349623DB2DE154CE43989BB4BBB2FB1)
Prakash

Recent Posts

Critical 0-Day in Windows DWM Enables Privilege Escalation

Microsoft has disclosed a significant security vulnerability (CVE-2025-30400) affecting the Windows Desktop Window Manager (DWM)…

8 minutes ago

Microsoft Patch Tuesday May 2025 Released With the Fixes for 72 Flaws With 5 Actively Exploited 0-Day

Microsoft has released its May 2025 Patch Tuesday updates, addressing 72 security vulnerabilities across its…

10 hours ago

Ivanti Released Security Updates to Fix for the Mutiple RCE Vulnerabilities – Patch Now

Ivanti, a leading enterprise software provider, has released critical security updates addressing vulnerabilities across several…

12 hours ago

Fortinet FortiVoice Zero-day Vulnerability Actively Exploited in The Wild

A critical stack-based buffer overflow vulnerability (CWE-121) has been discovered in multiple Fortinet products, including…

12 hours ago

Ransomware Attacks Surge by 123% Amid Evolving Tactics and Strategies

The 2025 Third-Party Breach Report from Black Kite highlights a staggering 123% surge in ransomware…

13 hours ago

Researchers Introduce Mythic Framework Agent to Enhance Pentesting Tool Performance

Penetration testing is still essential for upholding strong security procedures in a time when cybersecurity…

13 hours ago