CVE-2023-38205
published 2023-09-14CVE-2023-38205: Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that…
PriorityP189high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-08-10
Exploited in the wild
EPSS
99.73%
100.0th percentile
Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/hax/..CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo&_cfclient=true&returnFormat=wddx↗
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Adobe ColdFusion Access Control Bypass (CVE-2023-38205)"; flow:established,to_server; http.uri; content:"CFIDE/wizards/common/utils.cfc|3f|"; fast_pattern; content:"method|3d|wizardHash|5e 26|"; reference:url,www.rapid7.com/blog/post/2023/07/19/cve-2023-38205-adobe-coldfusion-access-control-bypass-fixed/; reference:cve,2023-38205; classtype:web-application-attack; sid:2065688; rev:1; metadata:affected_product Adobe_Coldfusion, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_06, cve CVE_2023_38205, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit requests use a path traversal pattern with '..CFIDE' prefix (e.g., /hax/..CFIDE/...) to bypass ColdFusion's access control restrictions on the /CFIDE/ administrator endpoints. ↗
- →Exploit HTTP requests target the utils.cfc endpoint with query parameters method=wizardHash, _cfclient=true, and returnFormat=wddx. Detect these parameter combinations in HTTP URI.
- →Successful exploitation returns a response body of exactly 106 characters (trimmed), content-type text/html, HTTP 200, containing three comma-separated 32-character hex strings (MD5 hashes).
- →CVE-2023-38205 is a bypass for the patch of CVE-2023-29298; both target ColdFusion Administrator CFM/CFC endpoints. Correlate detections for both CVEs. ↗
- →Shodan/FOFA queries to identify exposed ColdFusion instances: http.component:"Adobe ColdFusion", http.title:"coldfusion administrator login", app="Adobe-ColdFusion".
- ·The vulnerability allows bypass of ColdFusion's access control mechanisms protecting the Administrator CFM and CFC endpoints; exploitation does not require user interaction or authentication. ↗
- ·The Snort/ET rule (sid:2065688) requires TLS decryption (TLSDecrypt) to detect exploitation over HTTPS; deploy with SSLDecrypt/TLS inspection enabled for full coverage.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-76wh-rggp-rxxq: Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerabilit
ghsa_unreviewed·2023-09-14
CVE-2023-38205 [HIGH] CWE-284 GHSA-76wh-rggp-rxxq: Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerabilit
Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.
VulnCheck
Adobe ColdFusion Improper Access Control Vulnerability
vulncheck·2023·CVSS 7.5
CVE-2023-38205 [HIGH] CWE-284 Adobe ColdFusion Improper Access Control Vulnerability
Adobe ColdFusion Improper Access Control Vulnerability
Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass.
Affected: Adobe ColdFusion
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortiguard.com/outbreak-alert/adobe-coldfusion-access-bypass; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2023-38205; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-24&host_type=src&vulnerability=cve-2023-38205; https://dashboard.shadowserve
CISA
Adobe ColdFusion Improper Access Control Vulnerability
cisa·2023-07-20·CVSS 7.5
CVE-2023-38205 [HIGH] CWE-284 Adobe ColdFusion Improper Access Control Vulnerability
Vulnerability: Adobe ColdFusion Improper Access Control Vulnerability
Affected: Adobe ColdFusion
Adobe ColdFusion contains an improper access control vulnerability that allows for a security feature bypass.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://helpx.adobe.com/security/products/coldfusion/apsb23-47.html ; https://nvd.nist.gov/vuln/detail/CVE-2023-38205
Remediation Due Date: 2023-08-10
Suricata
ET WEB_SPECIFIC_APPS Adobe ColdFusion Access Control Bypass (CVE-2023-38205)
suricata·2025-11-06·CVSS 7.5
CVE-2023-38205 [HIGH] ET WEB_SPECIFIC_APPS Adobe ColdFusion Access Control Bypass (CVE-2023-38205)
ET WEB_SPECIFIC_APPS Adobe ColdFusion Access Control Bypass (CVE-2023-38205)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Adobe ColdFusion Access Control Bypass (CVE-2023-38205)"; flow:established,to_server; http.uri; content:"CFIDE/wizards/common/utils.cfc|3f|"; fast_pattern; content:"method|3d|wizardHash|5e 26|"; reference:url,www.rapid7.com/blog/post/2023/07/19/cve-2023-38205-adobe-coldfusion-access-control-bypass-fixed/; reference:cve,2023-38205; classtype:web-application-attack; sid:2065688; rev:1; metadata:affected_product Adobe_Coldfusion, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_06, cve CVE_2023_38205, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Descripti
Nuclei
Adobe ColdFusion - Access Control Bypass
nuclei·CVSS 7.5
CVE-2023-38205 [HIGH] Adobe ColdFusion - Access Control Bypass
Adobe ColdFusion - Access Control Bypass
There is an access control bypass vulnerability in Adobe ColdFusion versions 2023 Update 2 and below, 2021 Update 8 and below and 2018 update 18 and below, which allows a remote attacker to bypass the ColdFusion mechanisms that restrict unauthenticated external access to ColdFusion's Administrator.
Template:
id: CVE-2023-38205
info:
name: Adobe ColdFusion - Access Control Bypass
author: DhiyaneshDk
severity: high
description: |
There is an access control bypass vulnerability in Adobe ColdFusion versions 2023 Update 2 and below, 2021 Update 8 and below and 2018 update 18 and below, which allows a remote attacker to bypass the ColdFusion mechanisms that restrict unauthenticated external access to ColdFusion's Administrator.
impact: |
Successful ex
Bleepingcomputer
Adobe warns of critical ColdFusion bug with PoC exploit code
blogs_bleepingcomputer·2024-12-23·CVSS 8.1
CVE-2024-53961 [HIGH] Adobe warns of critical ColdFusion bug with PoC exploit code
## Adobe warns of critical ColdFusion bug with PoC exploit code
## Sergiu Gatlan
Adobe has released out-of-band security updates to address a critical ColdFusion vulnerability with proof-of-concept (PoC) exploit code.
In an advisory released on Monday, the company says the flaw (tracked as CVE-2024-53961) is caused by a path traversal weakness that impacts Adobe ColdFusion versions 2023 and 2021 and can enable attackers to read arbitrary files on vulnerable servers.
"Adobe is aware that CVE-2024-53961 has a known proof-of-concept that could cause an arbitrary file system read," Adobe said today , while also cautioning customers that it assigned a "Priority 1" severity rating to the flaw because it has a "a higher risk of being targeted, by exploit(s) in the wild for a given product ver
Bleepingcomputer
Adobe warns of critical Acrobat and Reader zero-day exploited in attacks
blogs_bleepingcomputer·2023-09-12·CVSS 7.8
CVE-2023-26369 [HIGH] Adobe warns of critical Acrobat and Reader zero-day exploited in attacks
## Adobe warns of critical Acrobat and Reader zero-day exploited in attacks
## Sergiu Gatlan
Adobe has released security updates to patch a zero-day vulnerability in Acrobat and Reader tagged as exploited in attacks.
Even though additional information on the attacks is yet to be disclosed, the zero-day is known to affect both Windows and macOS systems.
"Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader," the company said in a security advisory published today.
The critical security flaw is tracked as CVE-2023-26369 and can let attackers gain code execution after successfully exploiting an out-of-bounds write weakness .
While threat actors can exploit it in low-complexity attacks without requiring privileges, the fl
Checkpoint
24th July – Threat Intelligence Report
blogs_checkpoint·2023-07-24
CVE-2023-3519 24th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 24th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 24th July, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
The Microsoft Exchange email account espionage campaign, which has been attributed to Chinese threat actor ‘Storm-0558’, has reportedly accessed the email account of United States ambassador to China and compromised hundreds of thousands of individual United States government emails. Researchers warn that the method used in the c
Greynoiseio
NoiseLetter October 2024
blogs_greynoiseio
NoiseLetter October 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
HackerOne
Adobe ColdFusion Access Control Bypass - CVE-2023-38205
hackerone·2023-12-21·CVSS 7.5
CVE-2023-38205 [HIGH] Adobe ColdFusion Access Control Bypass - CVE-2023-38205
Adobe ColdFusion Access Control Bypass - CVE-2023-38205
**Description:**
Hi team,
The subdomain https://████ is with adobe ColdFusion vulnerable with CVE-2023-38205.
This vulnerability is a bypass path created for CVE-2023-29298.
## References
https://www.rapid7.com/blog/post/2023/07/19/cve-2023-38205-adobe-coldfusion-access-control-bypass-fixed/
## Impact
If an attacker accesses a URL path of /hax/..CFIDE/wizards/common/utils.cfc the access control can be bypassed and the expected endpoint can still be reached, even though it is not a valid URL path .
## System Host(s)
█████████
## Affected Product(s) and Version(s)
## CVE Numbers
CVE-2023-38205
## Steps to Reproduce
1. Go to: https://█████████/hax/..CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo&_cfclient=true&
2023-09-14
Published
2023-07-20
Added to CISA KEV
Exploited in the wild