Threat actors are actively exploiting at least two recently disclosed Adobe ColdFusion vulnerabilities in the wild, including the flaw that was not fully patched.

Last week, Adobe released security updates to address three high-risk vulnerabilities (CVE-2023-29298, CVE-2023-29300, and CVE-2023-29301). The first bug is an improper access control issue that allows bypassing implemented security restrictions and gaining unauthorized access to the application, while the second flaw could be used by an attacker for remote code execution. By exploiting the third vulnerability a remote hacker could gain unauthorized access to the application via a brute-force attack.

On July 14, Adobe issued fixes for patches for CVE-2023-38203, a deserialization issue that could lead to arbitrary code execution.

On Monday, cybersecurity firm Rapid7 warned it detected exploitation attempts involving CVE-2023-29298 and CVE-2023-38203, with attackers executing PowerShell commands to create a web shell for access to the targeted endpoint.

The CVE-2023-38203 was discovered by researchers at ProjectDiscovery who disclosed their findings on July 12. However, the blog post detailing the bug has been taken down, probably after the researchers realized they published details on a new zero-day vulnerability, instead of CVE-2023-29300 which was patched by Adobe.

Rapid7 has also warned that the fix for CVE-2023-29298 provided by Adobe is incomplete.

“There is currently no mitigation for CVE-2023-29298, but the exploit chain Rapid7 is observing in the wild relies on a secondary vulnerability for full execution on target systems. Therefore, updating to the latest available version of ColdFusion that fixes CVE-2023-38203 should still prevent the attacker behavior our MDR team is observing,” the researchers said.