CVE-2023-38203

What is Adobe ColdFusion?

Adobe ColdFusion is a commercial application server and rapid web development platform for building and deploying web applications, primarily in enterprise environments. ColdFusion runs web applications written in ColdFusion Markup Language (CFML) and Java, and is used in government agencies, financial institutions, and enterprise organizations — often to serve internal business applications and public-facing web portals. ColdFusion servers execute CFML code server-side and typically have access to backend databases, file systems, and internal network resources. ColdFusion's Java-based architecture makes it susceptible to Java deserialization vulnerabilities when untrusted data reaches Java's ObjectInputStream.

Overview

CVE-2023-38203 is a pre-authentication Java deserialization vulnerability in Adobe ColdFusion that enables unauthenticated remote code execution. It was inadvertently triggered by a premature PoC disclosure: when Adobe patched a different ColdFusion deserialization vulnerability (CVE-2023-29300 / APSB23-40) on July 11, 2023, a researcher at Project Discovery analyzed the patch and accidentally published a working PoC that actually exploited an unpatched second vulnerability — CVE-2023-38203. Adobe released an emergency out-of-band patch (APSB23-41) on July 20, 2023, but attackers had a six-day window with a public PoC and no patch. CISA added it to KEV in January 2024 confirming continued exploitation.

Affected Versions

Technical Details

CWE-502 (Deserialization of Untrusted Data). Adobe ColdFusion's web application server processes HTTP requests that may contain Java serialized objects. A flaw in how ColdFusion handles deserialization of these objects allows an unauthenticated attacker to send a crafted HTTP request containing a malicious serialized Java object (a "gadget chain"). When ColdFusion deserializes the object, the Java runtime executes attacker-controlled code during the deserialization process itself — before any application-level authentication checks.

The premature PoC disclosure arose from a nuance in patch analysis: the APSB23-40 patch for CVE-2023-29300 revealed the structure of ColdFusion's deserialization handling, and a researcher testing the patched version found that a slightly different attack path — CVE-2023-38203 — bypassed the APSB23-40 fix entirely. Publishing this finding before Adobe issued APSB23-41 created a six-day exploitation window.

The vulnerability is commonly exploited to deploy web shells (ColdFusion .cfm files) on the server, establishing persistent remote access, followed by credential harvesting and lateral movement.

Discovery

CVE-2023-38203 emerged from patch analysis following Adobe's APSB23-40 advisory. Researchers at Project Discovery (Rahul Maini and others) discovered the bypass while analyzing the APSB23-40 patch and inadvertently published PoC details before Adobe had patched the new finding. Adobe moved quickly to release APSB23-41 six days later.

Exploitation Context

The six-day window between PoC publication (July 14) and Adobe's APSB23-41 patch (July 20) enabled active exploitation. Attackers used the public PoC to deploy web shells on internet-accessible ColdFusion servers, with ransomware operators among the confirmed exploiters. Both CVE-2023-38203 (APSB23-41) and CVE-2023-29300 (APSB23-40) were added to CISA KEV on the same day (January 8, 2024), reflecting an exploitation campaign targeting ColdFusion servers that had not applied both patch sequences.

ColdFusion servers are particularly valuable targets because they are often deployed in government and regulated-industry environments where they process sensitive data and have broad internal network access.

Remediation

1. Apply Adobe APSB23-41 immediately to update to ColdFusion 2018 Update 18, ColdFusion 2021 Update 8, or ColdFusion 2023 Update 2.
2. Also apply APSB23-40 (for CVE-2023-29300) if not already done — both deserialization vulnerabilities must be patched.
3. Apply the ColdFusion lockdown guide settings — Adobe's official hardening guide restricts the directories and file types ColdFusion can serve and disables unnecessary functionality.
4. Restrict ColdFusion Administrator access to localhost or management network only — the admin interface should never be internet-accessible.
5. Inspect ColdFusion web roots for unexpected .cfm, .cfc, or .jsp files that could be web shells planted during exploitation.
6. Review ColdFusion logs for unusual requests around and after July 14, 2023 — the exploitation window — for evidence of deserialization attack payloads.
7. Rotate all database credentials and API keys accessible from the ColdFusion server's application configuration.