Cyber Resilience

CVE-2023-38203

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linkedRCE

Published: 20 July 2023

Published
20 July 2023
Modified
23 October 2025
KEV Added
08 January 2024
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9426 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38203 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Adobe ColdFusion versions 2018u17 and earlier, 2021u7 and earlier, and 2023u1 and earlier are affected by a Deserialization of Untrusted Data vulnerability tracked as CVE-2023-38203 and CWE-502. The flaw carries a CVSS 3.1 score of 9.8 and can lead to arbitrary code execution when untrusted data is deserialized.

An attacker can exploit the issue remotely over the network without authentication or user interaction, achieving full control over the affected ColdFusion server including the ability to execute arbitrary code with high impact on confidentiality, integrity, and availability.

Adobe's advisory APSB23-41 provides remediation guidance and patches for the supported versions, while CISA has added the CVE to its catalog of known exploited vulnerabilities, confirming active in-the-wild use.

The associated EPSS score has reached a peak of 0.9720 with a current value of 0.9426, reflecting sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

CWE(s)
KEV Date Added
08 January 2024

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
coldfusion
2018, 2021, 2023

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of untrusted serialized input before deserialization, directly blocking the crafted objects that trigger arbitrary code execution in ColdFusion.

prevent

Requires timely application of Adobe-supplied patches that remediate the deserialization flaw in the listed ColdFusion versions.

detect

Verifies software and information integrity to detect unauthorized code or changes resulting from successful exploitation of the deserialization vulnerability.

References