Adobe ColdFusion vulnerabilities exploited to deliver web shells (CVE-2023-29298, CVE-2023-38203)


Attackers are exploiting two Adobe ColdFusion vulnerabilities (CVE-2023-29298, CVE-2023-38203) to breach servers and install web shells to enable persistent access and allow remote control of the system, according to Rapid7 researchers.

Flaws with incomplete fixes

On July 11, 2023, Adobe released security updates for ColdFusion versions  2023, 2021 and  2018 containing fixes for three vulnerabilities:

  • CVE-2023-29298, a critical improper access control flaw that could allow attackers to bypass a security feature (reported by Rapid7’s Stephen Fewer)
  • CVE-2023-29300, a deserialization of untrusted data that could be exploited for arbitrary code execution (reported by Crowdstrike’s Nicolas Zilio)
  • CVE-2023-29301, another security feature bypass vulnerability (reported by Brian Reilly)

Read more…