cbcvebase.
CVE-2023-38204
published 2023-09-14

CVE-2023-38204: Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by a Deserialization of Untrusted Data…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
65.49%
99.2th percentile
Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

Affected

3 ranges
VendorProductVersion rangeFixed in
adobecoldfusion
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

ip81.68.214.122
ip81.68.197.3
ip82.156.147.183
ip103.255.177.55
port6895
domainmooo-ng.com
domainredteam.tf
domainh4ck4fun.xyz
hash7c6f0bae1e588821bd5d66cd98f52b7005e054279748c2c851647097fa2ae2df
hash590d3088ed566cb3d85d48f4914cc657ee49b7d33e85c72167e7c72d81d4cb6c
hash808f0f85aee6be3d3f3dd4bb827f556401c4d69a642ba4b1cb3645368954622e
hash4f22fea4d0fadd2e01139021f98f04d3cae678e6526feb61fa8a6eceda13296a
sigma
Adobe.ColdFusion.CVE-2023-38204.Insecure.Deserialization
  • Payloads delivered in exploitation attempts are Base64-encoded; decode POST body content to /CFIDE/adminapi/accessmanager.cfc for analysis.
  • Probing activity uses the interactsh tool to generate callback domains for out-of-band exploit validation; monitor DNS/HTTP callbacks to interactsh-associated domains from ColdFusion servers.
  • ·The exploit targets the WDDX deserialization process within Adobe ColdFusion; the vulnerability is pre-authentication, requiring no user interaction, meaning network-level exposure of the ColdFusion admin API is sufficient for exploitation.
  • ·Affected versions are ColdFusion 2018u18 and earlier, 2021u8 and earlier, and 2023u2 and earlier; patches were released under advisories APSB23-40, APSB23-41, and APSB23-47.
  • ·The Lucifer/Satan DDoS variant observed in this campaign targets Linux systems, deviating from the originally reported Windows-only targeting.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.