cbcvebase.
CVE-2023-44353
published 2023-11-17

CVE-2023-44353: Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
80.18%
99.6th percentile
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobecoldfusion< 20212021
adobecoldfusion<= 2021.11
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

url/CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true
path/CFIDE/wizards/common/utils.cfc
  • Exploit sends POST requests to /CFIDE/wizards/common/utils.cfc with query parameters `method=wizardHash`, `inPassword=bar`, and `_cfclient=true`, passing a filesystem path as the `argumentCollection` POST body parameter to trigger WDDX deserialization.
  • Vulnerable endpoint returns HTTP 500 when a known filesystem path is supplied (e.g. C:\Windows\ or /etc/) and HTTP 404 when a non-existent path is supplied — differential response indicates exploitable deserialization. Response body on 500 contains the string `coldfusion.runtime`.
  • Detection logic applies to both Windows (paths C:\Windows\ vs C:\Thisdefinitelydoesnotexist\) and Linux (/etc/ vs /thesecretcowlevelisreal/) — use differential HTTP status codes (500 vs 404) combined with `coldfusion.runtime` in the response body as the confirmation signal.
  • Shodan queries to identify exposed Adobe ColdFusion instances potentially affected by this CVE.
  • FOFA and Google dork queries to identify exposed ColdFusion administrator login pages as attack surface.
  • Content-Type header used in exploit requests is `application/x-www-form-urlencoded` — monitor for POST requests to ColdFusion CFC endpoints with this content type carrying filesystem path strings in the body.
  • ·The exploit requires no authentication and no user interaction — the vulnerable endpoint `/CFIDE/wizards/common/utils.cfc` is accessible unauthenticated on affected ColdFusion versions 2023.5 and earlier, and 2021.11 and earlier.
  • ·The Nuclei template uses a differential (oracle-based) detection approach with 4 requests; a single request is insufficient for confirmation — both the HTTP status code differential AND the `coldfusion.runtime` string in the body must be present simultaneously.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.