CVE-2023-38203
Published: 20 July 2023
Summary
CVE-2023-38203 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Adobe ColdFusion versions 2018u17 and earlier, 2021u7 and earlier, and 2023u1 and earlier are affected by a Deserialization of Untrusted Data vulnerability tracked as CVE-2023-38203 and CWE-502. The flaw carries a CVSS 3.1 score of 9.8 and can lead to arbitrary code execution when untrusted data is deserialized.
An attacker can exploit the issue remotely over the network without authentication or user interaction, achieving full control over the affected ColdFusion server including the ability to execute arbitrary code with high impact on confidentiality, integrity, and availability.
Adobe's advisory APSB23-41 provides remediation guidance and patches for the supported versions, while CISA has added the CVE to its catalog of known exploited vulnerabilities, confirming active in-the-wild use.
The associated EPSS score has reached a peak of 0.9720 with a current value of 0.9426, reflecting sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-42023
Vulnerability details
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
- CWE(s)
- KEV Date Added
- 08 January 2024
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation of untrusted serialized input before deserialization, directly blocking the crafted objects that trigger arbitrary code execution in ColdFusion.
Requires timely application of Adobe-supplied patches that remediate the deserialization flaw in the listed ColdFusion versions.
Verifies software and information integrity to detect unauthorized code or changes resulting from successful exploitation of the deserialization vulnerability.