Adobe has released a patch to fix three vulnerabilities found in its ColdFusion commercial rapid web-application development computing platform. Of the three vulnerabilities, one is a zero-day, while another one was being actively exploited in the wild.
As per a report on BleepingComputer, the three vulnerabilities in question are tracked as CVE-2023-38204 (critical RCE with a 9.8 severity score), CVE-2023-38205 (critical Improper Access Control flaw with a 7.8 severity score) and CEV-2023-38206 (moderate Improper Access Control with a 5.3 severity score).
Despite CVE-2023-38204 being critical, that’s not the one being used by hackers. It’s CVE-2023-38205, the critical Improper Access Control Flaw that Adobe saw being leveraged by threat actors.
Addressing a bypass
“Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion,” the company said in a security advisory.
The CVE-2023-38205 flaw is a patch bypass for the fix for CVE-2023-29298, BleepingComputer further explained. This is a ColdFusion authentication bypass that was discovered by Rapid7 some two weeks ago.
In mid-July, cybersecurity researchers from Rapid7 saw threat actors using multiple vulnerabilities to install webshells on ColdFusion servers. These webshells gave them remote access to vulnerable endpoints. While Adobe was quick to release a patch, Rapid7 said it could be worked around:
“Rapid7 researchers determined on Monday, July 17 that the fix Adobe provided for CVE-2023-29298 on July 11 is incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion (released July 14),” the researchers said.
“We have notified Adobe that their patch is incomplete.”
Now, Adobe confirmed to the media that it included a fix for CVE-2023-29298 in its latest patch.
Given the fact that the company observed the flaw being used by hackers, users are strongly advised to patch their endpoints immediately.