CVE-2023-44353
published 2023-11-17CVE-2023-44353: Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
80.18%
99.6th percentile
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | coldfusion | < 2021 | 2021 |
| adobe | coldfusion | <= 2021.11 | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit sends POST requests to /CFIDE/wizards/common/utils.cfc with query parameters `method=wizardHash`, `inPassword=bar`, and `_cfclient=true`, passing a filesystem path as the `argumentCollection` POST body parameter to trigger WDDX deserialization. ↗
- →Vulnerable endpoint returns HTTP 500 when a known filesystem path is supplied (e.g. C:\Windows\ or /etc/) and HTTP 404 when a non-existent path is supplied — differential response indicates exploitable deserialization. Response body on 500 contains the string `coldfusion.runtime`. ↗
- →Detection logic applies to both Windows (paths C:\Windows\ vs C:\Thisdefinitelydoesnotexist\) and Linux (/etc/ vs /thesecretcowlevelisreal/) — use differential HTTP status codes (500 vs 404) combined with `coldfusion.runtime` in the response body as the confirmation signal. ↗
- →Shodan queries to identify exposed Adobe ColdFusion instances potentially affected by this CVE. ↗
- →FOFA and Google dork queries to identify exposed ColdFusion administrator login pages as attack surface. ↗
- →Content-Type header used in exploit requests is `application/x-www-form-urlencoded` — monitor for POST requests to ColdFusion CFC endpoints with this content type carrying filesystem path strings in the body. ↗
- ·The exploit requires no authentication and no user interaction — the vulnerable endpoint `/CFIDE/wizards/common/utils.cfc` is accessible unauthenticated on affected ColdFusion versions 2023.5 and earlier, and 2021.11 and earlier. ↗
- ·The Nuclei template uses a differential (oracle-based) detection approach with 4 requests; a single request is insufficient for confirmation — both the HTTP status code differential AND the `coldfusion.runtime` string in the body must be present simultaneously. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g46m-g2gp-9x28: Adobe ColdFusion versions 2023
ghsa_unreviewed·2023-11-17
CVE-2023-44353 [CRITICAL] CWE-502 GHSA-g46m-g2gp-9x28: Adobe ColdFusion versions 2023
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
VulnCheck
Adobe ColdFusion Deserialization of Untrusted Data
vulncheck·2023·CVSS 9.8
CVE-2023-44353 [CRITICAL] Adobe ColdFusion Deserialization of Untrusted Data
Adobe ColdFusion Deserialization of Untrusted Data
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
Affected: Adobe ColdFusion
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.labs.greynoise.io/grimoire/2025-12-26-coldfusion/
No detection rules found.
Nuclei
Adobe ColdFusion WDDX Deserialization Gadgets
nuclei·CVSS 9.8
CVE-2023-44353 [CRITICAL] Adobe ColdFusion WDDX Deserialization Gadgets
Adobe ColdFusion WDDX Deserialization Gadgets
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
Template:
id: CVE-2023-44353
info:
name: Adobe ColdFusion WDDX Deserialization Gadgets
author: salts
severity: critical
description: |
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
impact: |
Unauthenticated attackers can exploit WDDX deserialization vulnerabilities in Adobe ColdFusion to execute a
2023-11-17
Published
Exploited in the wild