YouTube video by ColdFusion

Adobe ColdFusion offers you a single platform for building and deploying web and mobile applications.

Critical security flaw in Adobe ColdFusion has been added to CISA's Known Exploited Vulnerabilities catalog.

<div> <div> <div> <div> <p>Adobe Issues a Third set of Patches in a week for Actively Exploited ColdFusion Issues</p> </div> </div> </div> <div> <div> <div> <p>Take action: Another patch fatigue moment in the IT industry. If you manage ColdFusion servers, you don't have too many options other than patching the patch of the patch. It may be wise to consider whether you want to continue using these tools long term, and whether the investment in moving to something else is less than the current unfortunate state of ColdFusion security.</p> <p><strong>Learn More</strong></p> <p>Adobe has issued another emergency security update for its ColdFusion software, aiming to fix critical vulnerabilities, one of which has already been exploited in limited attacks.</p> <p>The update addresses three vulnerabilities: </p> <ul> <li> <strong>CVE-2023-38204 (CVSS score 9.8) </strong>- a remote code execution bug</li> <li><strong>CVE-2023-38205 (CVSS score 7.8) - Improper Access Control issue. This flaw was abused in limited attacks.</strong></li> <li><strong>CVE-2023-38206 (CVSS score 5.3)</strong> - moderate Improper Access Control flaw</li> </ul> <p>The CVE-2023-38205 flaw is a bypass for the incomplete patch issued for a previously discovered ColdFusion authentication bypass vulnerability CVE-2023-29298.</p> <p><a href="https://beyondmachines.net/event_details/another-critical-adobe-coldfusion-flaw-reported-in-a-week-i-9-f-c-x">On July 13th, attackers were observed chaining exploits for CVE-2023-29298 and another issue, likely CVE-2023-29300/CVE-2023-38203, to install webshells on vulnerable ColdFusion servers and gain remote access. </a></p> <p>On July 17th, security searchers found that the fix provided by Adobe for CVE-2023-29298 was incomplete, allowing a trivially modified exploit to still work on the latest version of ColdFusion. This led to the new emergency update.</p> <p>The fix for CVE-2023-29298 is included in the update (APSB23-47) under the CVE-2023-38205 patch.</p> </div> <div> <div> <img alt="Adobe Issues a Third set of Patches in a week for Actively Exploited ColdFusion Issues" src="https://pubcdn.beyondmachines.net/media_upload/events/upload/2023/07/20/bKtF08f5C-Y.jpg"> </div> </div> </div> </div> </div>

Adobe has unleashed a flurry of security updates to tackle multiple critical-severity bugs in ColdFusion versions 2025, 2023, and 2021. These pesky vulnerabilities could allow arbitrary file reads and code execution, making them the digital equivalent of leaving your front door open with a "Free Cookies Inside" sign.