cbcvebase.
CVE-2023-38205
published 2023-09-14

CVE-2023-38205: Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that…

PriorityP189high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2023-08-10
Exploited in the wild
EPSS
99.73%
100.0th percentile
Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.

Affected

3 ranges
VendorProductVersion rangeFixed in
adobecoldfusion
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

path/hax/..CFIDE/wizards/common/utils.cfc
url/hax/..CFIDE/wizards/common/utils.cfc?method=wizardHash&inPassword=foo&_cfclient=true&returnFormat=wddx
path/CFIDE/wizards/common/utils.cfc
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Adobe ColdFusion Access Control Bypass (CVE-2023-38205)"; flow:established,to_server; http.uri; content:"CFIDE/wizards/common/utils.cfc|3f|"; fast_pattern; content:"method|3d|wizardHash|5e 26|"; reference:url,www.rapid7.com/blog/post/2023/07/19/cve-2023-38205-adobe-coldfusion-access-control-bypass-fixed/; reference:cve,2023-38205; classtype:web-application-attack; sid:2065688; rev:1; metadata:affected_product Adobe_Coldfusion, attack_target Server, tls_state TLSDecrypt, created_at 2025_11_06, cve CVE_2023_38205, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit requests use a path traversal pattern with '..CFIDE' prefix (e.g., /hax/..CFIDE/...) to bypass ColdFusion's access control restrictions on the /CFIDE/ administrator endpoints.
  • Exploit HTTP requests target the utils.cfc endpoint with query parameters method=wizardHash, _cfclient=true, and returnFormat=wddx. Detect these parameter combinations in HTTP URI.
  • Successful exploitation returns a response body of exactly 106 characters (trimmed), content-type text/html, HTTP 200, containing three comma-separated 32-character hex strings (MD5 hashes).
  • CVE-2023-38205 is a bypass for the patch of CVE-2023-29298; both target ColdFusion Administrator CFM/CFC endpoints. Correlate detections for both CVEs.
  • Shodan/FOFA queries to identify exposed ColdFusion instances: http.component:"Adobe ColdFusion", http.title:"coldfusion administrator login", app="Adobe-ColdFusion".
  • ·The vulnerability allows bypass of ColdFusion's access control mechanisms protecting the Administrator CFM and CFC endpoints; exploitation does not require user interaction or authentication.
  • ·The Snort/ET rule (sid:2065688) requires TLS decryption (TLSDecrypt) to detect exploitation over HTTPS; deploy with SSLDecrypt/TLS inspection enabled for full coverage.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.