⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.. Due date: 2024-01-29.

CVE-2023-29300Deserialization of Untrusted Data in Adobe Coldfusion

CWE-502Deserialization of Untrusted Data10 documents10 sources
Severity
9.8CRITICALNVD
EPSS
93.7%
top 0.15%
CISA KEV
KEVRansomware
Added 2024-01-08
Due 2024-01-29
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Adobe Coldfusion
Timeline
PublishedJul 12
KEV addedJan 8
KEV dueJan 29
Latest updateNov 6
CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5adobe/coldfusioncf2023U1+1
NVDadobe/coldfusion2018, 2021, 2023+2

🔴Vulnerability Details

3
GHSA
GHSA-4c7h-552f-7g3h: Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 20232023-07-12
CVEList
Adobe ColdFusion Deserialization of Untrusted Data Arbitrary code execution2023-07-12
VulnCheck
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability2023

💥Exploits & PoCs

1
Nuclei
Adobe ColdFusion - Pre-Auth Remote Code Execution

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Adobe ColdFusion Unauthenticated Remote Code Execution (CVE-2023-29300)2025-11-06

📋Vendor Advisories

1
CISA
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability2024-01-08
CVE-2023-29300 — Deserialization of Untrusted Data | cvebase