Adobe released a security update for ColdFusion that fixes critical vulnerabilities, including a fix for a new zero-day exploited in attacks.
Adobe released a security update for ColdFusion that fixes critical vulnerabilities, including a fix for a new zero-day exploited in attacks.
Adobe fixed three vulnerabilities: the most critical Remote Code Execution (RCE) bug, indicated as CVE-2023-38204, with a severity rating of 9.8, and the other two vulnerabilities fixed are a critical improper access control flaw, CVE-2023-38205, with a rating of 7.8, and a moderate improper access control flaw, CVE-2023-38206, with a rating of 5.3.
While CVE-2023-38204 is the most critical flaw patched in this update, as it's a remote code execution bug, it was not exploited in the wild. But it wasn't the same case for CVE-2023-38205; this vulnerability has been exploited in limited attacks targeting Adobe ColdFusion servers, Adobe stated.
CVE-2023-38205 flaw acted as a bypass for the patch addressing CVE-2023-29298, an authentication bypass vulnerability discovered by Rapid7 researchers on 11 July.
On 13 July, Rapid7 observed attackers exploiting CVE-2023-29298 in combination with CVE-2023-29300/CVE-2023-38203 to infiltrate vulnerable ColdFusion servers and install web shells, allowing unauthorized remote access to these devices.
Rapid7 researchers further revealed that the fix provided by Adobe for CVE-2023-29298 on 11 July was incomplete, and a slightly modified exploit continued to work on the latest ColdFusion version. As this vulnerability is being actively exploited to take control of ColdFusion servers, Adobe strongly recommends that website operators install the update as soon as possible.
Want your digital assets to be protected?
CyberShelter provides innovative and modern cybersecurity products and niche services to individuals and organization against all kinds of cyber threats.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?