Adobe releases emergency update to fix new ColdFusion zero-day

Adobe releases emergency update to fix new ColdFusion zero-day

Adobe has released out-of-band security updates for ColdFusion versions 2023, 2021 and 2018 to address critical and moderate vulnerabilities that could lead to remote code execution and security feature bypass.

The security update fixes three vulnerabilities (CVE-2023-38204, CVE-2023-38205, CVE-2023-38206), including a new ColdFusion zero-day flaw said to have been exploited by hackers.

“Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion,” the company wrote in a security alert.

Two other vulnerabilities addressed by Adobe include a critical deserialization issue that could lead to remote code execution and an improper access control flaw that could be used for security feature bypass.

The flaws impact the following products:

  • ColdFusion 2023 (Update 2 and earlier versions)

  • ColdFusion 2021 (Update 8 and earlier versions), and

  • ColdFusion 2018 (Update 18 and earlier versions)

The news comes after cybersecurity firm Rapid7 warned that the recent patch for the CVE-2023-29298 flaw in ColdFusion is incomplete. The researchers said that they detected exploitation attempts involving CVE-2023-29298 and CVE-2023-38203, with attackers executing PowerShell commands to create a web shell for access to the targeted endpoint.


Back to the list

Latest Posts

Russian GRU hackers accused of massive espionage campaign across NATO and allied nations

Russian GRU hackers accused of massive espionage campaign across NATO and allied nations

The cyber offensive reportedly struck dozens of entities, spanning both government and private sectors.
22 May 2025
Chinese-speaking threat actors exploit Cityworks zero-day to hack into US govt agencies

Chinese-speaking threat actors exploit Cityworks zero-day to hack into US govt agencies

The attacks have been ongoing since at least January 2025.
22 May 2025
Infamous Lumma stealer malware disrupted in global takedown

Infamous Lumma stealer malware disrupted in global takedown

Microsoft identified over 394,000 Windows computers infected with the Lumma malware globally.
22 May 2025