What is Adobe ColdFusion?
Adobe ColdFusion is a commercial rapid web application development platform that has been deployed in enterprise, government, and education environments since the 1990s. ColdFusion servers are commonly internet-facing and run web applications with access to databases and internal network resources. The ColdFusion Administrator is a web-based management console that, if accessible without authentication, provides an attacker with broad control over the application server including the ability to write files, execute system commands, and deploy malicious CFM pages.
Overview
CVE-2023-38205 is an improper access control vulnerability in Adobe ColdFusion that allows an unauthenticated remote attacker to bypass security controls and access the ColdFusion Administrator interface. It arose as a patch bypass: researchers discovered that Adobe's fix for the prior authentication bypass (CVE-2023-29298, APSB23-40) could be circumvented by modifying the URL path with specific characters that evaded the new filter but still reached the protected endpoint. Adobe released a corrected fix in APSB23-47 on July 20, 2023. CISA added it to the KEV catalog on the same day.
Affected Versions
| Product | Affected | Fixed |
|---|---|---|
| ColdFusion 2023 | Update 2 and earlier | Update 3 |
| ColdFusion 2021 | Update 8 and earlier | Update 9 |
| ColdFusion 2018 | Update 18 and earlier | Update 19 |
Note: Versions patched with APSB23-40 (July 11, 2023) but not APSB23-47 (July 20, 2023) remain vulnerable to CVE-2023-38205.
Technical Details
The original vulnerability (CVE-2023-29298) was a path traversal / filter bypass in ColdFusion's access control logic that allowed unauthenticated requests to reach the ColdFusion Administrator by prepending a specific path prefix. Adobe's patch introduced a URL blocklist to catch the known bypass pattern.
CVE-2023-38205 (CWE-284) is a bypass of that blocklist: researchers found that appending or modifying the URL with characters such as path separators or URL-encoded variants produced URLs that matched the administrator endpoint routing but did not match the new blocklist. This allowed the same unauthenticated access to persist despite the patch.
When access to the ColdFusion Administrator is obtained without authentication, attackers can:
- Deploy CFM web shells to the server's web root
- Read server-side configuration files including database credentials
- Modify data sources and application settings
- Leverage built-in ColdFusion functionality to execute OS commands
In observed exploitation campaigns, CVE-2023-38205 was chained with additional ColdFusion vulnerabilities (CVE-2023-38204, a deserialization bug) to achieve full remote code execution.
Discovery
The patch bypass was identified by security researchers (credited to Rapid7 and others) who analyzed the APSB23-40 fix within days of its release and confirmed the bypass could be replicated. Adobe issued the corrected patch within approximately one week.
Exploitation Context
ColdFusion vulnerabilities have historically been weaponized rapidly by ransomware affiliates and APT groups targeting data theft from enterprise and government environments. The APSB23-40 → CVE-2023-38205 exploit cycle — where a patch is bypassed within a day and exploitation begins before the corrected patch is released — left organizations in a narrow vulnerable window even if they applied the initial patch promptly. CISA added CVE-2023-38205 to the KEV catalog on the day of the corrected fix, reflecting known active exploitation.
Remediation
- Apply APSB23-47 immediately — Update ColdFusion 2023 to Update 3, ColdFusion 2021 to Update 9, or ColdFusion 2018 to Update 19. Applying APSB23-40 alone is insufficient.
- Restrict access to the ColdFusion Administrator — it should never be exposed to the internet. Use firewall rules or network segmentation to allow admin access only from trusted management hosts.
- Apply the lockdown guide — Adobe's ColdFusion Lockdown Guide (available from Adobe support) disables unnecessary features and reduces the attack surface significantly.
- Audit CFM files for web shells — check the ColdFusion web root for recently modified or newly created
.cfmfiles, particularly in directories that should not have new files. - Review application logs for unusual admin panel access, particularly from external IP addresses or at unusual times.
- Rotate all credentials stored in ColdFusion data sources if compromise is suspected — database passwords stored in ColdFusion are accessible to anyone with admin panel access.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-38205 |
| Vendor / Product | Adobe — ColdFusion |
| NVD Published | 2023-09-14 |
| NVD Last Modified | 2025-10-23 |
| CVSS 3.1 Score | 7.5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Severity | HIGH |
| CWE | CWE-284 find similar ↗ |
| CISA KEV Added | 2023-07-20 |
| CISA KEV Deadline | 2023-08-10 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-07-11 | Adobe releases APSB23-40 patching CVE-2023-29298 (ColdFusion authentication bypass) |
| 2023-07-12 | Researchers discover that the APSB23-40 patch for CVE-2023-29298 can be bypassed with a modified URL |
| 2023-07-20 | Adobe releases APSB23-47 patching CVE-2023-38205; added to CISA KEV same day |
| 2023-08-10 | CISA BOD 22-01 remediation deadline |
| 2023-09-14 | NVD publishes CVE-2023-38205 with official CVSS score |
References
| Resource | Type |
|---|---|
| Adobe Security Bulletin APSB23-47 | Vendor Advisory |
| Adobe Security Bulletin APSB23-40 (original ColdFusion authentication bypass) | Vendor Advisory |
| NVD — CVE-2023-38205 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |