Adobe warns that a critical ColdFusion pre-authentication remote code execution vulnerability tracked as CVE-2023-29300 is actively exploited in attacks.
Adobe disclosed the vulnerability on July 11th, attributing the discovery to CrowdStrike researcher Nicolas Zilio.
CVE-2023-29300 is rated as critical with a 9.8 severity rating, as it can be used by unauthenticated visitors to remotely execute commands on vulnerable Coldfusion 2018, 2021, and 2023 servers in low-complexity attacks.
When first disclosed, the vulnerability had not been exploited in the wild. However, as part of an email notification for a similar CVE-2023-38203 RCE flaw, Adobe also disclosed that CVE-2023-29300 was seen exploited in attacks.
“Adobe is aware that CVE-2023-29300 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion,” reads an email notification seen by BleepingComputer.
While the details of how the vulnerability is exploited are currently unknown, a recently-removed technical blog post by Project Discovery was published last week that contains a proof-of-concept exploit for CVE-2023-29300.
According to Project Discovery’s now-removed blog post, the vulnerability stems from insecure deserialization in the WDDX library.
“In conclusion, our analysis revealed a significant vulnerability in the WDDX deserialization process within Adobe ColdFusion 2021 (Update 6),” explains the Project Discovery blog post.
“By exploiting this vulnerability, we were able to achieve remote code execution. The issue stemmed from a unsafe use of Java Reflection API that allowed the invocation of certain methods.”
While Adobe recommends that admins ‘lockdown’ ColdFusion installations to increase security and offer better defense against attacks, the researchers warned that CVE-2023-29300 can be chained with CVE-2023-29298 to bypass lockdown mode.
“To exploit this vulnerability, typically, access to a valid CFC endpoint is necessary. However, if the default pre-auth CFC endpoints cannot be accessed directly due to ColdFusion lockdown mode, it is possible to combine this vulnerability with CVE-2023-29298,” concludes Project Discovery’s technical writeup.
“This combination enables remote code execution against a vulnerable ColdFusion instance, even when it is configured in locked-down mode.”
Due to its exploitation in attacks, admins are strongly advised to upgrade ColdFusion to the latest version to patch the flaw as soon as possible.
BleepingComputer contacted CrowdStrike over the weekend to learn more about the active exploitation but was referred to Adobe. Adobe has not yet responded to our emails.
Adobe has not responded to our emails at the time of this writing.
