CVE-2023-29300

Name of the Vulnerable Software and Affected Versions Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier)

Description The issue is related to a Deserialization of Untrusted Data vulnerability, which could result in Arbitrary code execution. Exploitation of this issue does not require user interaction. Threat actors have employed various techniques, including probing, the establishment of reverse shells, and the deployment of malware, to exploit this vulnerability. It is a JAVA deserialization vulnerability resulting in arbitrary code execution, allowing unauthorized threat actors to deploy webshell to target's devices and establish persistence.

Recommendations For Adobe ColdFusion versions 2018u16 (and earlier), update to a version later than 2018u16. For Adobe ColdFusion versions 2021u6 (and earlier), update to a version later than 2021u6. For Adobe ColdFusion versions 2023.0.0.330468 (and earlier), update to a version later than 2023.0.0.330468. As a temporary workaround, consider disabling the deserialization of untrusted data until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation.