CONTACT US
REPORT A CYBER INCIDENT
CONTACT US REPORT A CYBER INCIDENT
CyberCX Blog

Unauthenticated remote code execution in Adobe ColdFusion

Threat Advisory

Published by Security Testing and Assurance on 15 November 2023

 

Overview

As part of CyberCX’s commitment to securing our communities, we endeavour to work with vendors through a responsible disclosure process and advise any vulnerabilities that we identify.

A vulnerability existed in Adobe ColdFusion where an unauthenticated attacker can obtain remote code execution. Adobe ColdFusion is an application server designed to provide development and deployment of dynamic web applications with supporting back-end database systems. The remote code execution resulted from a controlled file written into the ColdFusion web directory.

There were no prerequisites for this attack other than network connectivity to a ColdFusion instance. This vulnerability was identified by Daniel Jensen of CyberCX as part of a Red Team engagement for a customer.

 

Technical detail

Full exploitation details will be released later.

 

Affected versions

This vulnerability affects ColdFusion in its default configuration, meaning most instances of ColdFusion will be vulnerable. Initial research indicates that there are likely to be over 20,000 vulnerable hosts directly exposed to the Internet, with 380 of those located in Australia and New Zealand.

CyberCX has confirmed that this affects:

  • ColdFusion 2018 HF19 (JEE version)
  • ColdFusion 2021 U11 (Windows Installer)
  • ColdFusion 2023 U5 (Windows Installer)

All instances were tested with the secure profile active, on a Windows 10 host. Other configurations and versions may also be affected.

As of the 14th of November 2023, Adobe has released a security advisory with updates and technical notes for ColdFusion.

https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html

 

Timeline

13/09/2023 – Report sent to Adobe Product Security Incident Response Team (PSIRT).

02/11/2023 – Email sent to Adobe requesting update.

03/11/2023 – Response from Adobe stating a fix would be released on the 14th of November and noting CVE-2023-44351 has been assigned.

14/11/2023 – Adobe publicly releases advisory, along with updates and technical notes.

15/11/2023 – Release of this advisory.

 

Acknowledgements

CyberCX would like to thank the Adobe Product Security Incident Response Team for working through this disclosure and remediating the vulnerability.

Next

Burp Suite - Conditional Match and Replace Plugin

Other Cyber Security Resources

Middle East conflict: Cyber impacts of Iran-Israel military escalation

Read More

NTFS Usnjrnl Rewind

Read More

Beautifying Snaffler

Read More

PCI DSS 4.0 – How Do I Transition?

Read More

Ready to get started?

Find out how CyberCX can help your organization manage risk, respond to incidents and build cyber resilience.

Talk to an expert