Security experts have issued a warning over a potentially ‘incomplete’ fix for a security vulnerability in Adobe ColdFusion.
Researchers at Rapid7 have raised concerns that security patches issued for a series of vulnerabilities could still be placing users at risk.
Adobe released fixes for a series of vulnerabilities earlier this month affecting ColdFusion, including an access control bypass vulnerability - tracked as CVE-2023-29298 and discovered by Rapid7.
Researchers said that, based on observations, threat actors were found to be actively exploiting CVE-2023-29298 in customer environments.
“Rapid7 managed services teams have observed exploitation of Adobe ColdFusion in multiple customer environments,” the firm said in a blog post.
“The attacks our team has responded to thus far appear to be chaining CVE-2023-29298, a Rapid7-discovered access control bypass in ColdFusion that was disclosed on July 11, with an additional vulnerability.”
RELATED RESOURCE
Unified Endpoint Management and Security in a work-from-anywhere world
Discover new ways to mitigate vulnerabilities
Behaviors observed by researchers were found to be “consistent” with a separate zero-day exploit published - and later removed - by Project Discovery on July 12.
According to Rapid7, it appears that Project Discovery initially believed it discovered an exploit, tracked as CVE-2023-29300 - a deserialization vulnerability - that would enable arbitrary code execution.
However, this was then found to have been a zero-day exploit chain that Adobe subsequently fixed.
“The Project Discovery team probably did not realize their discovery was a new zero-day vulnerability and (we assume) took down their blog while Adobe fixed the flaw,” the firm said.
Warning issued over incomplete fix
Although Adobe issued a raft of fixes for these vulnerabilities last week, Rapid7’s analysis revealed that the patch provided is “incomplete”.
This means that a modified exploit could still be leveraged to work against the latest version of ColdFusion.
Similarly, researchers warned that, at present, there is no mitigation for customers vulnerable to CVE-2023-29298.
“Rapid7 researchers determined earlier today that the fix Adobe provided for CVE-2023-29298 on 11 July is incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion - released July 14).
“We have notified Adobe that their patch is incomplete.”
Researchers noted, however, that for the incomplete fix to be harnessed effectively, threat actors would still be reliant on a secondary vulnerability for “full execution on target systems”.
The firm urged customers to still update to the latest version of ColdFusion to mitigate the secondary vulnerability and prevent exploitation.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
