Warning issued over “incomplete” fix for Adobe ColdFusion vulnerability

Adobe ColdFusion: Adobe logo seen displayed on a smartphone
(Image credit: Getty Images)

Security experts have issued a warning over a potentially ‘incomplete’ fix for a security vulnerability in Adobe ColdFusion. 

Researchers at Rapid7 have raised concerns that security patches issued for a series of vulnerabilities could still be placing users at risk. 

Adobe released fixes for a series of vulnerabilities earlier this month affecting ColdFusion, including an access control bypass vulnerability - tracked as CVE-2023-29298 and discovered by Rapid7. 

Researchers said that, based on observations, threat actors were found to be actively exploiting CVE-2023-29298 in customer environments.

“Rapid7 managed services teams have observed exploitation of Adobe ColdFusion in multiple customer environments,” the firm said in a blog post. 

“The attacks our team has responded to thus far appear to be chaining CVE-2023-29298, a Rapid7-discovered access control bypass in ColdFusion that was disclosed on July 11, with an additional vulnerability.”

RELATED RESOURCE

Whitepaper cover with image of female working remotely at a laptop on her sofa

(Image credit: IBM)

Unified Endpoint Management and Security in a work-from-anywhere world

Discover new ways to mitigate vulnerabilities

DOWNLOAD FOR FREE

Behaviors observed by researchers were found to be “consistent” with a separate zero-day exploit published - and later removed - by Project Discovery on July 12.

According to Rapid7, it appears that Project Discovery initially believed it discovered an exploit, tracked as CVE-2023-29300 - a deserialization vulnerability - that would enable arbitrary code execution.

However, this was then found to have been a zero-day exploit chain that Adobe subsequently fixed. 

“The Project Discovery team probably did not realize their discovery was a new zero-day vulnerability and (we assume) took down their blog while Adobe fixed the flaw,” the firm said. 

Warning issued over incomplete fix

Although Adobe issued a raft of fixes for these vulnerabilities last week, Rapid7’s analysis revealed that the patch provided is “incomplete”. 

This means that a modified exploit could still be leveraged to work against the latest version of ColdFusion. 

Similarly, researchers warned that, at present, there is no mitigation for customers vulnerable to CVE-2023-29298. 

“Rapid7 researchers determined earlier today that the fix Adobe provided for CVE-2023-29298 on 11 July is incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion - released July 14). 

“We have notified Adobe that their patch is incomplete.”

Researchers noted, however, that for the incomplete fix to be harnessed effectively, threat actors would still be reliant on a secondary vulnerability for “full execution on target systems”. 

The firm urged customers to still update to the latest version of ColdFusion to mitigate the secondary vulnerability and prevent exploitation. 

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.