Adobe fixes patch bypass for exploited ColdFusion CVE-2023-29298 flaw

Adobe released an emergency ColdFusion security update that fixes critical vulnerabilities, including a fix for a new zero-day exploited in attacks.

As part of today’s out-of-band update, Adobe fixed three vulnerabilities: a critical RCE tracked as CVE-2023-38204 (9.8 rating), a critical Improper Access Control flaw tracked as CVE-2023-38205 (7.8 rating), and a moderate Improper Access Control flaw tracked as CVE-2023-38206 (5.3 rating).

While CVE-2023-38204 is the most critical flaw patched today, as its a remote code execution bug, it was not exploited in the wild.

However, Adobe says the CVE-2023-38205 flaw was abused in limited attacks.

"Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion," explains the Adobe security bulletin.

The CVE-2023-38205 flaw is a patch bypass for the fix for CVE-2023-29298, a ColdFusion authentication bypass discovered by Rapid7 researchers Stephen Fewer on July 11th.

On July 13th, Rapid7 observed attackers chaining exploits for the CVE-2023-29298 and what appeared to be the CVE-2023-29300/CVE-2023-38203 flaws to install webshells on vulnerable ColdFusion servers to gain remote access to devices.

This Monday, Rapid7 determined that the fix for the CVE-2023-29298 vulnerability could be bypassed and disclosed it to Adobe.

"Rapid7 researchers determined on Monday, July 17 that the fix Adobe provided for CVE-2023-29298 on July 11 is incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion (released July 14)," explained Rapid7.

"We have notified Adobe that their patch is incomplete."

Today, Adobe has confirmed to BleepingComputer that the fix for CVE-2023-29298 is included in APSB23-47 as the CVE-2023-38205 patch.

As this vulnerability is actively exploited in attacks to take control of ColdFusion servers, it is strongly recommended that website operators install the update as soon as possible.