CVE-2023-38203
published 2023-07-20CVE-2023-38203: Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2024-01-29
Exploited in the wild
EPSS
97.00%
99.9th percentile
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | coldfusion | <= cf2023U2 | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/CFIDE/adminapi/base.cfc?method=
commandargumentCollection={{jndi}}
snort↗
Adobe.ColdFusion.CVE-2023-38203.Insecure.Deserialization
- →Payloads are frequently Base64-encoded; decode HTTP POST bodies to /CFIDE/ endpoints for JNDI/LDAP strings indicating exploitation attempts. ↗
- →Attackers use interactsh-based domains for probing/validation of the exploit; monitor DNS callbacks to interactsh infrastructure as an indicator of active exploitation. ↗
- →Post-exploitation: look for Rclone binaries masquerading as svhost.exe or scvhost.exe performing data exfiltration to MegaSync cloud storage. ↗
- →Shodan/FOFA queries can identify exposed ColdFusion instances: http.component:"Adobe ColdFusion", http.title:"coldfusion administrator login", app="Adobe-ColdFusion".
- ·The Nuclei template targets /CFIDE/adminapi/base.cfc while Fortinet observed attacks against /CFIDE/adminapi/accessmanager.cfc — both endpoints should be monitored as attack vectors for CVE-2023-38203.
- ·Storm-0501 exploitation of ColdFusion is attributed to 'possibly CVE-2023-29300 or CVE-2023-38203' — the specific CVE used in each intrusion was not definitively confirmed. ↗
- ·Attacker files on the HFS public server (103.255.177.55:6895) were frequently updated during the campaign, meaning hashes may not represent the full set of malware variants deployed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4vp5-7p37-q66w: Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vul
ghsa_unreviewed·2023-07-20
CVE-2023-38203 [CRITICAL] CWE-502 GHSA-4vp5-7p37-q66w: Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vul
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
VulnCheck
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-38203 [CRITICAL] CWE-502 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution.
Affected: Adobe ColdFusion
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-july-17-2023-fcd7; https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/; https://www.fortinet.com/blog/threat-research/multiple-threats-target-adobe-coldfusion-vulnerabilities; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulner
CISA
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
cisa·2024-01-08·CVSS 9.8
CVE-2023-38203 [CRITICAL] CWE-502 Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
Vulnerability: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
Affected: Adobe ColdFusion
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for code execution.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://helpx.adobe.com/security/products/coldfusion/apsb23-41.html ; https://nvd.nist.gov/vuln/detail/CVE-2023-38203
Remediation Due Date: 2024-01-29
No detection rules found.
Nuclei
Adobe ColdFusion - Deserialization of Untrusted Data
nuclei·CVSS 9.8
CVE-2023-38203 [CRITICAL] Adobe ColdFusion - Deserialization of Untrusted Data
Adobe ColdFusion - Deserialization of Untrusted Data
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
Template:
id: CVE-2023-38203
info:
name: Adobe ColdFusion - Deserialization of Untrusted Data
author: yiran
severity: critical
description: |
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
impact: |
Successful exploitation of this vulnerability could
Bleepingcomputer
Embargo ransomware escalates attacks to cloud environments
blogs_bleepingcomputer·2024-09-27·CVSS 9.8
[CRITICAL] Embargo ransomware escalates attacks to cloud environments
## Embargo ransomware escalates attacks to cloud environments
## Bill Toulas
## Storm-0501 attack flow
The attacker gains access to cloud environments by exploiting weak credentials and taking advantage of privileged accounts, with the goal of stealing data and executing a ransomware payload.
Microsoft explains that the Storm-0501 obtains initial access to the network with stolen or purchased credentials, or by exploiting known vulnerabilities.
Some of the flaws used in recent attacks are CVE-2022-47966 (Zoho ManageEngine), CVE-2023-4966 (Citrix NetScaler), and possibly CVE-2023-29300 or CVE-2023-38203 (ColdFusion 2016).
The adversary moves laterally using frameworks like Impacket and Cobalt Strike, steals data through a custom Rclone binary renamed to mimic a Windows tool, and disab
Microsoft
Storm-0501: Ransomware attacks expanding to hybrid cloud environments
blogs_microsoft·2024-09-26·CVSS 9.8
CVE-2022-47966 [CRITICAL] Storm-0501: Ransomware attacks expanding to hybrid cloud environments
Research
September 26, 2024
Storm-0501 previously achieved initial access through intrusions facilitated by access brokers like Storm-0249 and Storm-0900, leveraging possibly stolen compromised credentials to sign in to the target system, or exploiting various known remote code execution vulnerabilities in unpatched public-facing servers. In a recent campaign, Storm-0501 exploited known vulnerabilities in Zoho ManageEngine (CVE-2022-47966), Citrix NetScaler (CVE-2023-4966), and ColdFusion 2016 application (possibly CVE-2023-29300 or CVE-2023-38203). In cases observed by Microsoft, these initial access techniques, combined with insufficient operational security practices by the targets, provided the threat actor with administrative privileges on the target device.
After gaining initial a
Bleepingcomputer
CISA warns agencies of fourth flaw used in Triangulation spyware attacks
blogs_bleepingcomputer·2024-01-09·CVSS 5.3
[MEDIUM] CISA warns agencies of fourth flaw used in Triangulation spyware attacks
## CISA warns agencies of fourth flaw used in Triangulation spyware attacks
## Bill Toulas
The U.S. Cybersecurity and Infrastructure Security Agency has added to its to the Known Exploited Vulnerabilities catalog six vulnerabilities that impact products from Apple, Adobe, Apache, D-Link, and Joomla.
The Known Exploited Vulnerabilities catalog, or KEV for short, contains security issues that have been actively exploited in the wild. It is a valuable resource for organizations across the globe in the vulnerability management and prioritization process.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise." reads CISA's notice .
CISA has given federal agencies until January 29 to patch the six actively
Fortinet
Multiple Threats Target Adobe ColdFusion Vulnerabilities | FortiGuard Labs
blogs_fortinet·2023-08-30
Multiple Threats Target Adobe ColdFusion Vulnerabilities | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Multiple Threats Target Adobe ColdFusion Vulnerabilities
By Cara Lin | August 30, 2023
Affected platforms: Windows and macOS
Impacted parties: Users of vulnerable versions of Adobe ColdFusion
Impact: Remote attackers gain control of vulnerable systems
Severity level: Critical
This past July, Adobe responded to reports of exploits targeting pre-authentication remote code execution (RCE) vulnerabilities in their ColdFusion solution by releasing a series of security updates: APSB23-40, APSB23-41, and APSB23-47. An in-depth analysis of those exploits has been documented by Project Discovery, including a significant vulnerability in the WDDX deserialization process within Adobe ColdFusion 2021.
Since those updates, however, FortiGuard Labs IPS telemetry data
Threat Intel
Storm-0501 (Storm-0501)
threat_intel·CVSS 9.8
[CRITICAL] Storm-0501 (Storm-0501)
# Threat Actor Profile: Storm-0501
ATT&CK ID: G1053
Also known as: Storm-0501
## Overview
Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. Storm-0501 has been active since 2021 and has previously been affiliated with Sabbath Ransomware and other Ransomware-as-a-Service (RaaS) variants such as Hive, BlackCat, Hunters International, LockBit 3.0, and Embargo ransomware.(Citation: Avertium Storm-0501 Sabbath Ransomware Arcane January 2022)(Citation: Microsoft Storm-501 Sabbath Ransomware Embargo September 2024)(Citation: Microsoft Storm-0501 Embargo Ransomware August 2025)(Citation: Google Mandiant Storm-0501 Sabbath Ransomware November 2021)
## Techniques (TTPs)
### Resource Development
- T1587.003 Digita
Greynoiseio
NoiseLetter January 2024
blogs_greynoiseio
NoiseLetter January 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2023-07-20
Published
2024-01-08
Added to CISA KEV
Exploited in the wild