CVE-2023-29298
published 2023-07-12CVE-2023-29298: Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control…
PriorityP189high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-08-10
Exploited in the wild
EPSS
99.75%
100.0th percentile
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | coldfusion | <= cf2023U2 | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url//CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo&_cfclient=true&returnFormat=wddx↗
url/hax/..CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo&_cfclient=true&returnFormat=wddx↗
bytes↗
ONEPIECE
bytes↗
x_best_911
yara↗
regex: ([0-9a-fA-F]{32},){2}[0-9a-fA-F]{32}- →Detect double-slash path prefix bypass: requests to //CFIDE/ (double forward slash) are the primary exploitation pattern for CVE-2023-29298, used to bypass access controls on ColdFusion admin endpoints. ↗
- →Detect path traversal bypass variant (CVE-2023-38205 patch bypass): requests containing /hax/..CFIDE/ or similar directory traversal sequences prepended to /CFIDE/ paths indicate bypass of the CVE-2023-29298 patch. ↗
- →Monitor IIS (w3wp.exe) spawning OS commands such as whoami — a strong indicator of webshell execution following ColdFusion exploitation. ↗
- →Hunt for .aspx webshell files placed in image directories (e.g., wwwroot\Images\*.aspx) — post-exploitation webshells may use steganography to hide within image files. ↗
- →Scan webshell content for the embedded strings 'ONEPIECE' and 'x_best_911' — these appeared in all webshells deployed in the observed post-exploitation campaign. ↗
- →Alert on HTTP responses from /CFIDE/ admin paths returning status 200 with content-type text/html and body length of exactly 106 bytes — matches the Nuclei detection template for successful exploitation. ↗
- →Detect access to known targeted ColdFusion admin API endpoints in web logs: /CFIDE/adminapi/_datasource/, /CFIDE/adminapi/customtags/, /CFIDE/adminapi/serverinstance.cfc, /CFIDE/adminapi/servermonitoring.cfc from external/untrusted sources. ↗
- →Monitor for the query parameter combination method=wizardHash&_cfclient=true&returnFormat=wddx in HTTP requests — this is the specific invocation used in PoC and active exploitation of CVE-2023-29298. ↗
- ·The double-slash bypass (//CFIDE/) is the original CVE-2023-29298 vector; Adobe's initial patch was bypassed by CVE-2023-38205 using path traversal (e.g., /hax/..CFIDE/). Detection rules should cover both patterns. ↗
- ·The Nuclei template targets the specific utils.cfc wizardHash method; broader detection should also cover the 437 CFM and 96 CFC files accessible under /CFIDE/ in a ColdFusion 2021 Update 6 install. ↗
- ·Post-exploitation activity included disabling IIS HTTP logging (%windir%\system32\inetsrv\appcmd set config /section:httpLogging /dontLog:True), which may cause gaps in web log-based detection; endpoint/EDR telemetry should be used as a complementary detection source. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9fcc-rhq3-fh3c: Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023
ghsa_unreviewed·2023-07-12
CVE-2023-29298 [HIGH] CWE-284 GHSA-9fcc-rhq3-fh3c: Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.
VulnCheck
Adobe ColdFusion Improper Access Control Vulnerability
vulncheck·2023·CVSS 7.5
CVE-2023-29298 [HIGH] CWE-284 Adobe ColdFusion Improper Access Control Vulnerability
Adobe ColdFusion Improper Access Control Vulnerability
Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass.
Affected: Adobe ColdFusion
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-04&host_type=src&vulnerability=cve-2023-29298; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-20&host_type=src&vulnerability=cve-
CISA
Adobe ColdFusion Improper Access Control Vulnerability
cisa·2023-07-20·CVSS 7.5
CVE-2023-29298 [HIGH] CWE-284 Adobe ColdFusion Improper Access Control Vulnerability
Vulnerability: Adobe ColdFusion Improper Access Control Vulnerability
Affected: Adobe ColdFusion
Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html; https://nvd.nist.gov/vuln/detail/CVE-2023-29298
Remediation Due Date: 2023-08-10
No detection rules found.
Nuclei
Adobe ColdFusion - Access Control Bypass
nuclei·CVSS 7.5
CVE-2023-29298 [HIGH] Adobe ColdFusion - Access Control Bypass
Adobe ColdFusion - Access Control Bypass
An attacker is able to access every CFM and CFC endpoint within the ColdFusion Administrator path /CFIDE/, of which there are 437 CFM files and 96 CFC files in a ColdFusion 2021 Update 6 install.
Template:
id: CVE-2023-29298
info:
name: Adobe ColdFusion - Access Control Bypass
author: rootxharsh,iamnoooob,DhiyaneshDK,pdresearch
severity: high
description: |
An attacker is able to access every CFM and CFC endpoint within the ColdFusion Administrator path /CFIDE/, of which there are 437 CFM files and 96 CFC files in a ColdFusion 2021 Update 6 install.
impact: |
Successful exploitation of this vulnerability could allow an attacker to bypass access controls and gain unauthorized access to sensitive information or perform unauthorized actions.
remedi
Huntress
Defence Impairment Olympics
blogs_huntress·2026-06-29·CVSS 9.8
CVE-2023-26360 [CRITICAL] Defence Impairment Olympics
Acknowledgements: Special thanks to Adrian Garcia, Amelia Casley, Olly Maxwell and Anton Ovrutsky for their contributions to this investigation and write-up.
## Background
At Huntress, we have visibility into various parts of a threat actor's attack chain: including how they enter the victim's environment (initial access), how they research the environment (enumeration), and how they move around the environment (lateral movement). One tactic that we see a fair amount of is defence evasion and defence impairment; or specific measures threat actors take to hide their tracks during an incident and to disable defence mechanisms.
We recently responded to an incident on June 7 where a threat actor initially performed enumeration activity before later carrying out almost a dozen different type
Bleepingcomputer
Adobe warns of critical ColdFusion bug with PoC exploit code
blogs_bleepingcomputer·2024-12-23·CVSS 8.1
CVE-2024-53961 [HIGH] Adobe warns of critical ColdFusion bug with PoC exploit code
## Adobe warns of critical ColdFusion bug with PoC exploit code
## Sergiu Gatlan
Adobe has released out-of-band security updates to address a critical ColdFusion vulnerability with proof-of-concept (PoC) exploit code.
In an advisory released on Monday, the company says the flaw (tracked as CVE-2024-53961) is caused by a path traversal weakness that impacts Adobe ColdFusion versions 2023 and 2021 and can enable attackers to read arbitrary files on vulnerable servers.
"Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read," Adobe said today , while also cautioning customers that it assigned a "Priority 1" severity rating to the flaw because it has a "a higher risk of being targeted, by exploit(s) in the wild for a given product ver
Greynoiseio
Three New Tags For ColdFusion (CVE-2023-29298; CVE-2023-29300) and Citrix (CVE-2023-3519)
blogs_greynoiseio·CVSS 7.5
[HIGH] Three New Tags For ColdFusion (CVE-2023-29298; CVE-2023-29300) and Citrix (CVE-2023-3519)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
GreyNoise Round-Up: Product Updates
blogs_greynoiseio
GreyNoise Round-Up: Product Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
HackerOne
Adobe ColdFusion Access Control Bypass - CVE-2023-38205
hackerone·2023-12-21·CVSS 7.5
CVE-2023-38205 [HIGH] Adobe ColdFusion Access Control Bypass - CVE-2023-38205
Adobe ColdFusion Access Control Bypass - CVE-2023-38205
**Description:**
Hi team,
The subdomain https://████ is with adobe ColdFusion vulnerable with CVE-2023-38205.
This vulnerability is a bypass path created for CVE-2023-29298.
## References
https://www.rapid7.com/blog/post/2023/07/19/cve-2023-38205-adobe-coldfusion-access-control-bypass-fixed/
## Impact
If an attacker accesses a URL path of /hax/..CFIDE/wizards/common/utils.cfc the access control can be bypassed and the expected endpoint can still be reached, even though it is not a valid URL path .
## System Host(s)
█████████
## Affected Product(s) and Version(s)
## CVE Numbers
CVE-2023-38205
## Steps to Reproduce
1. Go to: https://█████████/hax/..CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo&_cfclient=true&
2023-07-12
Published
2023-07-20
Added to CISA KEV
Exploited in the wild