Rapid7 managed services teams have observed exploitation of Adobe ColdFusion in multiple customer environments. The attacks our team has responded to thus far appear to be chaining CVE-2023-29298 , a Rapid7-discovered access control bypass in ColdFusion that was disclosed on July 11, with an additional vulnerability. The behavior our teams are observing appears to be consistent with a zero-day
CVE-2023-29298 is a security vulnerability that affects Adobe ColdFusion. This vulnerability is categorized as an Improper Access Control issue that could result in a security feature bypass. It affects Adobe ColdFusion versions 2018u16 and earlier, as well as versions 2023, 2021, and possibly others.
An attacker could potentially exploit this vulnerability to bypass security restrictions, which could allow them to access the administration CFM and CFC endpoints. Exploitation of this issue does not necessarily require any specific conditions to be met.
Adobe has released security updates to address this vulnerability. It’s recommended to apply these updates to mitigate the risk associated with this vulnerability.
For more detailed information, you can refer to the following sources: