Adobe ColdFusion vulnerabilities are being actively exploited by attackers to bypass authentication and execute remote commands to create a webshell on the vulnerable endpoint. ColdFusion is an Adobe product for web developers providing cloud based coding environments to build apps. Researchers at Rapid7 discovered an improper access control vulnerability in Adobe ColdFusion 2018, 2021, and 2023, that was addressed in a new update released last Tuesday, which also addressed another security bypass flaw, and a code execution flaw.  

The Rapid7-discovered flaw, CVE-2023-29298, was believed to be actively exploited in an attack chain utilising a second vulnerability, initially believed to be CVE-2023-29300, which was patched in the same update. Researchers at Project Discovery published a proof of concept (PoC) for this exploit chain, however this was then taken down, as despite appearing to use CVE-2023-29300 in the exploit, it is actually more consistent with the exploit of flaw CVE-2023-38203, which had not yet been addressed by Adobe, hence the removal of the PoC code. This critical severity vulnerability has now been patched in a new update released on Friday.  

High severity vulnerability CVE-2023-29298 can be exploited by attackers to bypass security features and access the CFM and CFC endpoints in vulnerable Adobe ColdFusion systems. This vulnerability can be exploited without the need for any user interaction, as it is caused by incorrect restrictions to resources for unauthorised actors. This is exploited alongside critical severity deserialization of untrusted data flaw CVE-2023-38203, which allows the attackers to perform remote code execution on the vulnerable system. HTTP POST requests are sent to the accessmanager.cfc file. Encoded PowerShell commands are then executed on an endpoint, creating a .\ColdFusion11\cfusion\wwwroot\CFIDE\ckeditr.cfm webshell in the \wwwroot\CFIDE directory to provide the attackers with access to the device.   

Researchers at Rapid7 believe the fix for CVE-2023-29298 is incomplete, and that it can still be exploited even when the most recent updates are applied. There is no suggested workaround to mitigate this flaw, and as the patch is incomplete, all current versions of ColdFusion are vulnerable to this exploit. However, the most recent patch versions, ColdFusion 2018 version 18, ColdFusion 2021 version 8, and ColdFusion 2023 version2, all patch CVE-2023-38203, which is a part of the attack chain and is relied upon for the CVE-2023-29298 exploit. Therefore, updating to the most recent version should still ensure that attackers cannot exploit this attack chain and should still protect your environment from unauthorised access.