430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Adobe out-of-band update addresses an actively exploited ColdFusion zero-day

Adobe released an emergency update to address critical vulnerabilities in ColdFusion, including an actively exploited zero-day. Adobe released an out-of-band update to address critical and moderate vulnerabilities in ColdFusion, including a zero-day flaw that is actively exploited in attacks.  The vulnerabilities could lead to arbitrary code execution and security feature bypass. The impacted ColdFusion versions are 2023, 2021 […]

Adobe Acrobat Reader CVE-2026-34621

Adobe released an emergency update to address critical vulnerabilities in ColdFusion, including an actively exploited zero-day.

Adobe released an out-of-band update to address critical and moderate vulnerabilities in ColdFusion, including a zero-day flaw that is actively exploited in attacks.

 The vulnerabilities could lead to arbitrary code execution and security feature bypass. The impacted ColdFusion versions are 2023, 2021 and 2018.

Below is the list of the issues addressed by the software firm with this out-of-band update:

Vulnerability CategoryVulnerability ImpactSeverityCVSS base score CVSS vectorCVE Numbers
Deserialization of Untrusted Data (CWE-502)Arbitrary code execution
Critical9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCVE-2023-38204
Improper Access Control (CWE-284)Security feature bypassCritical7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NCVE-2023-38205
Improper Access Control (CWE-284)Security feature bypassModerate5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NCVE-2023-38206

According to the bulletin, the vulnerability tracked as CVE-2023-38205 has been exploited in the wild in limited attacks targeting ColdFusion. This flaw is an Improper Access Control that could lead to a security feature bypass.

“Adobe has released security updates for ColdFusion versions 2023, 2021 and 2018. These updates resolve critical  and moderate vulnerabilities that could lead to arbitrary code execution and security feature bypass.” reads the security bulletin. “Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion.”

The CVE-2023-38205 vulnerability was discovered by Stephen Fewer from security firm Rapid7.

The CVE-2023-38205 vulnerability is a patch bypass for the fix for the ColdFusion authentication bypass issue tracked as CVE-2023-29298.

Last week, Adobe warned customers of a critical ColdFusion pre-authentication RCE bug, tracked as CVE-2023-29300, which is actively exploited. The issue was part of an exploit chain, that included the CVE-2023-29298 and CVE-2023-38203, which was used to deploy webshells on vulnerable ColdFusion servers.

BllepingComputer confirmed that the fix for CVE-2023-29298 is included in APSB23-47 as the CVE-2023-38205 patch.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe)