Security experts have recently flagged concerns about a potential “incomplete” patch for a security vulnerability found in Adobe ColdFusion. Rapid7 researchers have discovered that the security patches provided by Adobe may still leave users vulnerable to attacks.
Last month, Adobe released several fixes for vulnerabilities in ColdFusion, including the access control bypass vulnerability known as CVE-2023-29298, which was uncovered by Rapid7. Observations made by the researchers have revealed that threat actors are actively exploiting this vulnerability in various customer environments.
“Our team at Rapid7 has observed instances of Adobe ColdFusion exploitation in multiple customer environments,” stated the company in a blog post. “The attacks we have encountered so far seem to be utilizing CVE-2023-29298, an access control bypass in ColdFusion discovered by Rapid7 on July 11, in combination with an additional vulnerability.”
Researchers have also identified behaviors consistent with a separate zero-day exploit that was initially published – and subsequently removed – by Project Discovery on July 12. Initially believed to be a new exploit, tracked as CVE-2023-29300, for a deserialization vulnerability that enabled arbitrary code execution, it was later discovered to be a zero-day exploit chain, which Adobe subsequently fixed.
Rapid7’s analysis has highlighted that the patch provided by Adobe for these vulnerabilities is “incomplete” despite their recent release. Therefore, there is still a possibility that a modified exploit could target the latest version of ColdFusion. Furthermore, there is currently no mitigation available for customers vulnerable to CVE-2023-29298.
“Today, Rapid7 researchers have determined that the patch Adobe provided on July 11 for CVE-2023-29298 is incomplete, and a slightly modified exploit can still target the latest version of ColdFusion released on July 14. We have informed Adobe about the incomplete nature of their patch,” stated the researchers.
However, researchers noted that threat actors would still require a secondary vulnerability for the “full execution on target systems” to effectively harness the incomplete fix. As a precaution, Rapid7 recommends that customers update to the latest version of ColdFusion to address the secondary vulnerability and minimize the risk of exploitation.