On July 11, Adobe coordinated with the vendor to fix several ColdFusion vulnerabilities, including CVE-2023-29298.
But it’s been reported that there are two ColdFusion vulnerabilities that hackers are actively exploiting to perform the following illicit tasks:
Rapid7 detected Adobe ColdFusion exploitation on July 13, with threat actors leveraging “CVE-2023-29298” and a related unpublished vulnerability tracked as “CVE-2023-38203.”
Project Discovery mistakenly disclosed an n-day exploit for what they believed to be CVE-2023-29300, but Adobe fixed it in an out-of-band update on July 14.
The CVE-2023-29300 patch blocks specific class deserialization in ColdFusion’s WDDX data, preventing gadget-based attacks without breaking existing dependencies.
The Project Discovery authors identified a functional gadget, leveraging com.sun.rowset.JdbcRowSetImpl can achieve remote code execution as it’s not on Adobe’s Denylist.
Project Discovery unknowingly found a new zero-day flaw, leading Adobe to release an out-of-band patch on July 14, blocking the exploit by denying the classpath:
Rapid7 found Adobe’s patch for CVE-2023-29298 incomplete since a modified exploit still works in the latest ColdFusion version. While no mitigation exists, updating to the newest version fixing CVE-2023-38203 can prevent observed attacker behavior.
Below, we have mentioned the vulnerable versions of ColdFusion:
Here below, we have mentioned all the patched versions of ColdFusion:
But all the above-mentioned versions are patched against CVE-2023-338203; they are still vulnerable to CVE-2023-29298.
Rapid7 researchers noticed several POST requests to use this exploit in IIS logs. y were all sent to “accessmanager.cfc.”
Here below, we have mentioned all the detection rules:
Moreover, cybersecurity analysts have strongly recommended that all users of Adobe ColdFusion immediately update their version to the latest one and also block the oastify[.]com domain.
Also, consider using the serialfilter.txt file in <cfhome>/lib to denylist packages with deserialization vulnerabilities, as advised in Adobe’s July 14 advisory.
IP addresses:
Domains:
The United States has successfully extradited two Kosovo nationals, Ardit Kutleshi, 26, and Jetmir Kutleshi,…
Ivanti has issued an urgent security advisory for CVE-2025-22457, a critical vulnerability impacting Ivanti Connect…
A concerning malware campaign was disclosed by the AhnLab Security Intelligence Center (ASEC), revealing how…
EncryptHub, a rapidly evolving cybercriminal entity, has come under intense scrutiny following revelations of operational…
A sophisticated phishing campaign, dubbed "PoisonSeed," has been identified targeting customer relationship management (CRM) and…
A surge in phishing text messages claiming unpaid tolls has been linked to a massive…