Adobe has released out-of-band security updates for ColdFusion versions 2023, 2021 and 2018 to address critical and moderate vulnerabilities that could lead to remote code execution and security feature bypass.

The security update fixes three vulnerabilities (CVE-2023-38204, CVE-2023-38205, CVE-2023-38206), including a new ColdFusion zero-day flaw said to have been exploited by hackers.

“Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion,” the company wrote in a security alert.

Two other vulnerabilities addressed by Adobe include a critical deserialization issue that could lead to remote code execution and an improper access control flaw that could be used for security feature bypass.

The flaws impact the following products:

• ColdFusion 2023 (Update 2 and earlier versions)

• ColdFusion 2021 (Update 8 and earlier versions), and

• ColdFusion 2018 (Update 18 and earlier versions)

The news comes after cybersecurity firm Rapid7 warned that the recent patch for the CVE-2023-29298 flaw in ColdFusion is incomplete. The researchers said that they detected exploitation attempts involving CVE-2023-29298 and CVE-2023-38203, with attackers executing PowerShell commands to create a web shell for access to the targeted endpoint.