Hackers Actively Exploit Multiple Adobe ColdFusion Vulnerabilities

On July 11, Adobe coordinated with the vendor to fix several ColdFusion vulnerabilities, including CVE-2023-29298.

But it’s been reported that there are two ColdFusion vulnerabilities that hackers are actively exploiting to perform the following illicit tasks:

• Bypass authentication
• Remotely execute commands
• Install webshells on vulnerable servers

Rapid7 detected Adobe ColdFusion exploitation on July 13, with threat actors leveraging “CVE-2023-29298” and a related unpublished vulnerability tracked as “CVE-2023-38203.”

Active exploitation

Project Discovery mistakenly disclosed an n-day exploit for what they believed to be CVE-2023-29300, but Adobe fixed it in an out-of-band update on July 14.

The CVE-2023-29300 patch blocks specific class deserialization in ColdFusion’s WDDX data, preventing gadget-based attacks without breaking existing dependencies.

The Project Discovery authors identified a functional gadget, leveraging com.sun.rowset.JdbcRowSetImpl can achieve remote code execution as it’s not on Adobe’s Denylist.

Project Discovery unknowingly found a new zero-day flaw, leading Adobe to release an out-of-band patch on July 14, blocking the exploit by denying the classpath:

• !com[.]sun.rowset.**

Rapid7 found Adobe’s patch for CVE-2023-29298 incomplete since a modified exploit still works in the latest ColdFusion version. While no mitigation exists, updating to the newest version fixing CVE-2023-38203 can prevent observed attacker behavior.

Affected Products

Below, we have mentioned the vulnerable versions of ColdFusion:

• Adobe ColdFusion 2023 Update 1
• Adobe ColdFusion 2021 Update 7 and below
• Adobe ColdFusion 2018 Update 17 and below

Patched versions of ColdFusion

Here below, we have mentioned all the patched versions of ColdFusion:

• Adobe ColdFusion 2023 Update 2
• Adobe ColdFusion 2021 Update 8
• Adobe ColdFusion 2018 Update 18

But all the above-mentioned versions are patched against CVE-2023-338203; they are still vulnerable to CVE-2023-29298.

Rapid7 researchers noticed several POST requests to use this exploit in IIS logs. y were all sent to “accessmanager.cfc.”

Detection rules

Here below, we have mentioned all the detection rules:

• Webshell
• Attacker Technique
• Attacker Tool
• Attacker Technique
• PowerShell
• Suspicious Process

Mitigation

Moreover, cybersecurity analysts have strongly recommended that all users of Adobe ColdFusion immediately update their version to the latest one and also block the oastify[.]com domain.

Also, consider using the serialfilter.txt file in <cfhome>/lib to denylist packages with deserialization vulnerabilities, as advised in Adobe’s July 14 advisory.

IOCs

IP addresses:

• 62.233.50[.]13
• 5.182.36[.]4
• 195.58.48[.]155

Domains:

• oastify[.]com
• ckeditr[.]cfm (SHA256 08D2D815FF070B13A9F3B670B2132989C349623DB2DE154CE43989BB4BBB2FB1)