Adobe has released an emergency ColdFusion security update that fixes critical vulnerabilities, including a fix for a new zero-day exploit in attacks.

As part of today’s out-of-band update, Adobe has patched three vulnerabilities: a critical RCE tracked as CVE-2023-38204 (9.8 rating), a critical improper access control flaw tracked as CVE-2023-38205 (7.8 rating), and a moderate improper access control flaw tracked as CVE-2023-38206 (5.3 rating).

Although CVE-2023-38204 is the most critical flaw fixed today, as a remote code execution bug, it has not been exploited in the wild.

However, Adobe claims that the CVE-2023-38205 flaw has been exploited in limited attacks.

“Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion,” Adobe explains. safety bulletin.

The CVE-2023-38205 flaw is a patch workaround for the patch of CVE-2023-29298a ColdFusion authentication bypass discovered by Rapid7 researchers Stephen Fewer on July 11.

July 13, Rapid7 has observed attackers string together exploits for the CVE-2023-29298 flaws and what appeared to be the CVE-2023-29300/CVE-2023-38203 flaws to install webshells on vulnerable ColdFusion servers to remotely access devices.

On Monday, Rapid7 determined that the fix for the CVE-2023-29298 vulnerability could be bypassed and disclosed it to Adobe.

“Rapid7 researchers determined on Monday, July 17 that the patch provided by Adobe for CVE-2023-29298 on July 11 is incomplete and a trivially modified exploit still works against the latest version of ColdFusion (released July 14)” explained Rapid7.

“We have notified Adobe that their patch is incomplete.”

Today Adobe confirmed to BleepingComputer that the fix for CVE-2023-29298 is included in APSB23-47 as patch CVE-2023-38205.

As this vulnerability is actively exploited in attacks to take control of ColdFusion servers, website operators are strongly recommended to install the update as soon as possible.