CVE-2023-29300
Published: 12 July 2023
Summary
CVE-2023-29300 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
Adobe ColdFusion versions 2018u16 and earlier, 2021u6 and earlier, and 2023.0.0.330468 and earlier are affected by a deserialization of untrusted data vulnerability tracked as CWE-502. The flaw carries a CVSS 3.1 score of 9.8 with an attack vector of network, low complexity, no privileges, and no user interaction, resulting in full impact to confidentiality, integrity, and availability.
An unauthenticated attacker with network access can supply a malicious serialized object to trigger arbitrary code execution on the server without any user interaction, enabling complete system compromise.
Adobe’s advisory APSB23-40 details the affected builds and corresponding security updates that remediate the issue; the vulnerability is also catalogued in CISA’s Known Exploited Vulnerabilities list, confirming active exploitation in the wild.
The associated EPSS score currently stands at 0.9380 with a recorded peak of 0.9705, reflecting sustained and elevated exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-32875
Vulnerability details
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
- CWE(s)
- KEV Date Added
- 08 January 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks deserialization of attacker-supplied objects by requiring validation/sanitization of all untrusted input before it is processed.
Detects and blocks the malicious code that results from successful deserialization before it can execute on the ColdFusion server.
Requires prompt application of vendor patches that eliminate the unsafe deserialization code path described in APSB23-40.