Two Adobe ColdFusion Vulnerabilities Exploited in The Wild

Two vulnerabilities in Adobe ColdFusion have been targeted in real-world attacks, as cautioned by the Cybersecurity & Infrastructure Security Agency (CISA). These vulnerabilities stem from inadequate validation of deserialized data, leading to the potential for arbitrary code execution. Adobe addressed these issues by releasing patches in mid-July 2023, promptly after their initial detection.

COLDFUSION ACE VULNERABILITIES EXPLOITED IN REAL-WORLD ATTACKS

On January 8, CISA issued their routine advisory on recently exploited vulnerabilities, highlighting two security breaches in Adobe ColdFusion, both traced back to the summer of 2023.

Despite the availability of patches around the same timeframe, the organization expresses certainty about the exploitation, aligning with prevailing trends. The concern intensifies as both vulnerabilities carry a CVSS rating of 9.8, indicating a high level of risk associated with their utilization in cyberattacks.

Both CVE-2023-29300 and CVE-2023-38203 highlight inadequate data validation during deserialization, resulting in arbitrary code execution (ACE). Intriguingly, both vulnerabilities affect the same string versions of ColdFusion – 2018, 2021, and 2023.

Exploiting these vulnerabilities involves sending a specially crafted data package to a vulnerable ColdFusion server, allowing adversaries to execute desired code without requiring user interaction, thereby heightening the severity of the vulnerability.

Arbitrary code execution vulnerabilities not only provide entry points but also opportunities for lateral movement. The ease of exploitation, requiring no user input, makes it a straightforward process. Given ColdFusion’s popularity as an app server solution, compromising it facilitates access to critical information, making finding a victim effortless.