Adobe: Urgent patch fixes ColdFusion zero-day

Adobe has addressed three vulnerabilities in ColdFusion, including a zero-day vulnerability.

Adobe fixed three vulnerabilities in ColdFusion, their web application development platform. One of these vulnerabilities was a zero-day, and another was actively being exploited. They released a patch to address these issues.

Urgent patch fixes ColdFusion zero-day

In today’s update, Adobe fixed three vulnerabilities:

A critical remote code execution vulnerability (CVE-2023-38204) with a severity score of 9.8.
A critical improper access control flaw (CVE-2023-38205) with a severity score of 7.8.
A moderate severity improper access control flaw (CVE-38206-5,3) with a score of 5.3.

According to a report from BleepingComputer, the three vulnerabilities are CVE-2023-38204 (critical Remote Code Execution with a severity score of 9.8), CVE-2023-38205 (critical Improper Access Control flaw with a severity score of 7.8), and CEV-2023-38206 (moderate Improper Access Control with a severity score of 5.3).

Interestingly, even though CVE-2023-38204 is critical, hackers are not exploiting it. Instead, they are using CVE-2023-38205, which is the critical Improper Access Control flaw that Adobe observed being exploited by threat actors.

“According to a security advisory from Adobe, they are aware that CVE-2023-38205 has been exploited in limited attacks targeting Adobe ColdFusion.”

BleepingComputer provided additional details, explaining that the CVE-2023-38205 flaw is a patch bypass for the fix intended for CVE-2023-29298.

The latter is a ColdFusion authentication bypass that was discovered by Rapid7 approximately two weeks ago.

Site administrators are strongly advised to install the update promptly, as this vulnerability is actively being exploited in attacks that could compromise control of ColdFusion servers.