cbcvebase.
CVE-2023-29298
published 2023-07-12

CVE-2023-29298: Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control…

PriorityP189high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-08-10
Exploited in the wild
EPSS
99.75%
100.0th percentile
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobecoldfusion<= cf2023U2
adobecoldfusion
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

url//CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo&_cfclient=true&returnFormat=wddx
path/CFIDE/adminapi/_datasource/setmsaccessRegistry.cfm
path/CFIDE/adminapi/_datasource/setsldatasource.cfm
path/CFIDE/adminapi/_datasource/setdsn.cfm
path/CFIDE/adminapi/_datasource/formatjdbcurl.cfm
path/CFIDE/adminapi/_datasource/getaccessdefaultsfromRegistry.cfm
path/CFIDE/adminapi/_datasource/geturldefaults.cfm
path/CFIDE/adminapi/customtags/l10n.cfm
path/CFIDE/adminapi/serverinstance.cfc
path/CFIDE/adminapi/servermonitoring.cfc
filenameUA4fp7R.aspx
filenameWRBYTR5750images.aspx
filenamei.bat
pathwwwroot\Images
path/hax/..CFIDE/wizards/common/utils.cfc
url/hax/..CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo&_cfclient=true&returnFormat=wddx
registryHKEY_LOCAL_MACHINE\SOFTWARE\FileZilla 3
pathC:\ProgramData\x
bytes
ONEPIECE
bytes
x_best_911
yara
regex: ([0-9a-fA-F]{32},){2}[0-9a-fA-F]{32}
  • Detect double-slash path prefix bypass: requests to //CFIDE/ (double forward slash) are the primary exploitation pattern for CVE-2023-29298, used to bypass access controls on ColdFusion admin endpoints.
  • Detect path traversal bypass variant (CVE-2023-38205 patch bypass): requests containing /hax/..CFIDE/ or similar directory traversal sequences prepended to /CFIDE/ paths indicate bypass of the CVE-2023-29298 patch.
  • Monitor IIS (w3wp.exe) spawning OS commands such as whoami — a strong indicator of webshell execution following ColdFusion exploitation.
  • Hunt for .aspx webshell files placed in image directories (e.g., wwwroot\Images\*.aspx) — post-exploitation webshells may use steganography to hide within image files.
  • Scan webshell content for the embedded strings 'ONEPIECE' and 'x_best_911' — these appeared in all webshells deployed in the observed post-exploitation campaign.
  • Alert on HTTP responses from /CFIDE/ admin paths returning status 200 with content-type text/html and body length of exactly 106 bytes — matches the Nuclei detection template for successful exploitation.
  • Detect access to known targeted ColdFusion admin API endpoints in web logs: /CFIDE/adminapi/_datasource/, /CFIDE/adminapi/customtags/, /CFIDE/adminapi/serverinstance.cfc, /CFIDE/adminapi/servermonitoring.cfc from external/untrusted sources.
  • Monitor for the query parameter combination method=wizardHash&_cfclient=true&returnFormat=wddx in HTTP requests — this is the specific invocation used in PoC and active exploitation of CVE-2023-29298.
  • ·The double-slash bypass (//CFIDE/) is the original CVE-2023-29298 vector; Adobe's initial patch was bypassed by CVE-2023-38205 using path traversal (e.g., /hax/..CFIDE/). Detection rules should cover both patterns.
  • ·The Nuclei template targets the specific utils.cfc wizardHash method; broader detection should also cover the 437 CFM and 96 CFC files accessible under /CFIDE/ in a ColdFusion 2021 Update 6 install.
  • ·Post-exploitation activity included disabling IIS HTTP logging (%windir%\system32\inetsrv\appcmd set config /section:httpLogging /dontLog:True), which may cause gaps in web log-based detection; endpoint/EDR telemetry should be used as a complementary detection source.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.