Adobe is warning that a critical ColdFusion pre-authentication remote code execution vulnerability identified as CVE-2023-29300 is being actively exploited in attacks.

Adobe disclosed the vulnerability on July 11, attributing the discovery to CrowdStrike researcher Nicolas Zilio.

CVE-2023-29300 is classified as critical with a severity rating of 9.8 because it can be used by unauthenticated visitors to remotely execute commands on Coldfusion Servers 2018, 2021, and 2023 that are vulnerable to malware attacks. low complexity.

When first revealed, the vulnerability had not been exploited in the wild. However, as part of an email notification for a similar CVE-2023-38203 RCE flaw, Adobe also revealed that CVE-2023-29300 has been exploited in attacks.

“Adobe is aware that CVE-2023-29300 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion,” reads an email notification seen by BleepingComputer.

While exploit details for the vulnerability are currently unknown, a recently removed technical blog post by Project Discovery was published last week that contains a proof-of-concept exploit for CVE-2023-29300.

According to the now-deleted Project Discovery blog post, the vulnerability stems from insecure deserialization in the WDDX library.

“In conclusion, our analysis has revealed a significant vulnerability in the WDDX deserialization process in Adobe ColdFusion 2021 (Update 6),” explains the Project Discovery blog post.

“By exploiting this vulnerability, we were able to achieve remote code execution. The problem stemmed from an insecure use of the Java Reflection API which allowed the invocation of certain methods.”

Although Adobe recommends that administrators’confinement“Installs ColdFusion to increase security and provide better defense against attacks, researchers have warned that CVE-2023-29300 can be chained with CVE-2023-29298 to bypass lockdown mode.

“To exploit this vulnerability, typically, access to a valid CFC endpoint is required. However, if the default pre-authentication CFC endpoints cannot be accessed directly due to ColdFusion lockdown mode, it is possible to combine this vulnerability with CVE-2023-29298”, concludes the technical writing of Project Discovery.

“This combination allows remote code execution on a vulnerable ColdFusion instance, even when configured in locked down mode.”

Due to its exploitation in attacks, administrators are strongly advised to upgrade ColdFusion to the latest version to fix the flaw as soon as possible.

BleepingComputer contacted CrowdStrike over the weekend to inquire about active exploitation, but was referred to Adobe. Adobe has not yet responded to our emails.

Adobe has not responded to our emails at the time of this writing.