CVE-2023-29300

What is Adobe ColdFusion?

Adobe ColdFusion is a commercial Java-based application server and web development platform used by government agencies, financial institutions, and enterprise organizations to build and deploy internal business applications and public-facing web portals. ColdFusion runs ColdFusion Markup Language (CFML) applications server-side and integrates with backend databases, directory services, and internal systems. Because ColdFusion servers are often deployed in data-sensitive environments and have broad access to organizational backend infrastructure, they are attractive targets for ransomware operators and espionage actors seeking initial access.

Overview

CVE-2023-29300 is a pre-authentication Java deserialization vulnerability in Adobe ColdFusion that enables unauthenticated remote code execution. Adobe patched it on July 11, 2023 in security bulletin APSB23-40. Analysis of this patch by security researchers revealed a separate bypass vulnerability (CVE-2023-38203), which Adobe patched in an emergency out-of-band release (APSB23-41) nine days later. CISA added both CVE-2023-29300 and CVE-2023-38203 to the KEV catalog together on January 8, 2024, confirming that attackers were exploiting ColdFusion deserialization vulnerabilities in active campaigns targeting organizations that had not applied the complete patch sequence.

Affected Versions

Note: After applying APSB23-40, also apply APSB23-41 to address CVE-2023-38203. Both patches are required.

Technical Details

CWE-502 (Deserialization of Untrusted Data). ColdFusion's Java runtime handles HTTP requests that may include serialized Java objects used for session management, data exchange, or legacy integrations. A flaw in ColdFusion's deserialization handling allows an unauthenticated attacker to send a crafted HTTP request containing a malicious serialized Java gadget chain. During deserialization, the Java runtime executes attacker-controlled code — before application-level authentication is checked.

Java deserialization attacks via "gadget chains" exploit the behavior of Java's ObjectInputStream.readObject() method: when deserializing an object, Java invokes methods on the deserialized object's class hierarchy. By crafting objects whose class methods invoke OS commands or load attacker-controlled bytecode when called during deserialization, an attacker achieves arbitrary code execution.

Successful exploitation of CVE-2023-29300 typically results in web shell deployment on the ColdFusion server (as .cfm or .jsp files), providing persistent attacker access regardless of credential rotation.

Discovery

CVE-2023-29300 was discovered and reported to Adobe by security researchers prior to the July 2023 patch cycle. The patch for CVE-2023-29300 (APSB23-40) was itself the trigger for discovery of CVE-2023-38203 — researchers analyzing the APSB23-40 patch found that the fix was incomplete and that a modified payload bypassed it.

Exploitation Context

The sequential discovery and disclosure of CVE-2023-29300 and its bypass CVE-2023-38203 created a prolonged exploitation window in summer 2023. Organizations that patched APSB23-40 but not APSB23-41 remained vulnerable to the bypass. Ransomware operators targeted internet-accessible ColdFusion servers across both vulnerabilities.

Government agencies running ColdFusion were specifically at risk, as CISA noted ongoing exploitation through the January 2024 KEV addition. The pattern — Java deserialization, web shell deployment, credential harvesting, lateral movement — followed the playbook ransomware groups refined against MOVEit and other enterprise file transfer platforms in 2023.

Remediation

1. Apply Adobe APSB23-40 to address CVE-2023-29300 (ColdFusion 2018 Update 17, 2021 Update 7, 2023 Update 1).
2. Apply Adobe APSB23-41 to address CVE-2023-38203 (ColdFusion 2018 Update 18, 2021 Update 8, 2023 Update 2) — both patches are required; APSB23-40 alone is insufficient.
3. Apply Adobe's ColdFusion lockdown guide to restrict file system access, disable unnecessary features, and harden the runtime configuration.
4. Restrict ColdFusion Administrator to localhost or management-only network access.
5. Inspect ColdFusion web root directories for .cfm, .cfc, or .jsp files not present in known-good deployments — particularly in upload directories or under the ColdFusion admin paths.
6. Review ColdFusion access logs for POST requests with unusual content-length patterns or binary payloads that could indicate deserialization attack attempts.
7. Rotate database credentials, LDAP bind credentials, API keys, and other secrets stored in ColdFusion datasource and application configurations.