Cyber Resilience

CVE-2023-38205

HighCISA KEVActive ExploitationEUVD Exploited

Published: 14 September 2023

Published
14 September 2023
Modified
23 October 2025
KEV Added
20 July 2023
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9431 100.0th percentile
Risk Priority 92 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38205 is a high-severity Improper Access Control (CWE-284) vulnerability in Adobe Coldfusion. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

Adobe ColdFusion versions 2018u18 and earlier, 2021u8 and earlier, and 2023u2 and earlier contain an improper access control vulnerability that permits a security feature bypass. The flaw affects the product's administrative CFM and CFC endpoints and carries a CVSS 3.1 base score of 7.5.

An unauthenticated attacker can exploit the issue over the network without user interaction to reach the administration endpoints, resulting in disclosure of sensitive information.

Adobe's security bulletin APSB23-47 addresses the flaw and directs administrators to apply the vendor-supplied updates for each affected ColdFusion branch. The vulnerability also appears in CISA's catalog of known exploited vulnerabilities.

The associated EPSS score currently stands at 0.9431 with a recorded peak of 0.9587.

EU & UK References

Vulnerability details

Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) and 2023u2 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM…

more

and CFC endpoints. Exploitation of this issue does not require user interaction.

CWE(s)
KEV Date Added
20 July 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
coldfusion
2018, 2021, 2023

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access control policies on ColdFusion administration CFM/CFC endpoints, blocking the unauthorized bypass described in CVE-2023-38205.

prevent

Restricts administrative functions to only the privileges required, limiting exposure of the affected endpoints to unauthenticated remote attackers.

prevent

Applies boundary protections to restrict network access to internal administrative interfaces, mitigating remote exploitation without authentication.

References