CVE-2023-29300
CVE-2023-29300 is a critical-severity vulnerability in Adobe Coldfusion with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-01-08). The underlying weakness is classified as CWE-502.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2024-01-08)
- EU (EUVD) id: EUVD-2023-32875
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2024-01-08)
- Weakness: CWE-502
- Affected product: Adobe Coldfusion
- Published:
- Last modified:
Description
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
CVE-2023-29300: Adobe ColdFusion Deserialization of Untrusted Data Leads to Critical RCE
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2023-29300 |
| Severity | CRITICAL |
| CVSS 3.1 | 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| CWE | CWE-502: Deserialization of Untrusted Data |
| EPSS | 0.99984 (99.98th percentile) |
| KEV | Yes — CISA KEV (added 2024-01-08) |
| EUVD | EUVD-2023-32875 |
| Published | 2023-07-12 |
| Assigner | Adobe PSIRT ([email protected]) |
Summary
Adobe ColdFusion versions 2018 Update 16 (and earlier), 2021 Update 6 (and earlier), and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability (CWE-502). An unauthenticated remote attacker can exploit this flaw to achieve arbitrary code execution without any user interaction.
Background
Adobe ColdFusion is a commercial rapid web-application development platform. It is widely deployed in enterprise and government environments for building data-driven web applications. The platform's Java-based underpinnings make it susceptible to deserialization attacks when untrusted data is passed to Java's native serialization mechanisms without adequate validation.
Root Cause
The vulnerability is classified under CWE-502: Deserialization of Untrusted Data. ColdFusion improperly deserializes data from an untrusted source, allowing an attacker to inject malicious serialized objects. When the application reconstructs these objects, attacker-controlled code can be executed in the context of the ColdFusion server process. This is a well-understood attack class in Java-based applications, where chains of "gadgets" (existing classes in the classpath) can be combined to achieve code execution.
Impact
The CVSS 3.1 score of 9.8 (Critical) reflects the severity of this vulnerability:
- Attack Vector (AV): Network — exploitable remotely
- Attack Complexity (AC): Low — no special conditions required
- Privileges Required (PR): None — unauthenticated exploitation
- User Interaction (UI): None — fully automated exploitation possible
- Scope (S): Unchanged — impact remains within the vulnerable component
- Confidentiality (C), Integrity (I), Availability (A): All HIGH
Successful exploitation grants the attacker full control over the ColdFusion server with the privileges of the service account, typically leading to complete system compromise.
Exploitation Walkthrough (Defensive Perspective)
Ethics Notice: This section describes the exploitation mechanism from a defensive standpoint to help security teams understand and detect the attack. No weaponized exploit code is provided.
- Reconnaissance: Identify ColdFusion endpoints (common paths include
/CFIDE/administrator/,/cfform, or WSDL endpoints). - Gadget Chain Identification: The attacker crafts a serialized Java object payload leveraging known gadget chains present in ColdFusion's classpath (e.g., libraries such as Apache Commons Collections, though the exact chain may vary by patch level).
- Deserialization Trigger: The payload is sent to a ColdFusion endpoint that accepts serialized data (such as WDDX packets, AMF, or Java serialized objects in specific protocol handlers).
- Code Execution: Upon deserialization, the gadget chain executes, typically spawning a reverse shell or deploying a web shell.
Security teams should focus on detecting abnormal deserialization behavior and outbound connections from ColdFusion servers rather than attempting to reproduce exploitation.
Affected and Patched Versions
Affected:
- Adobe ColdFusion 2018 — Update 16 and earlier
- Adobe ColdFusion 2021 — Update 6 and earlier
- Adobe ColdFusion 2023 — 2023.0.0.330468 and earlier
Patched:
- Adobe ColdFusion 2018 — Update 17
- Adobe ColdFusion 2021 — Update 7
- Adobe ColdFusion 2023 — 2023 Update 1
Remediation
- Apply Adobe Security Updates: Install the patches released in APSB23-40 immediately for the affected versions.
- Network Segmentation: Restrict ColdFusion administrative interfaces (
/CFIDE/) to trusted management hosts only; do not expose them to the internet. - Input Validation: Implement strict input validation on all endpoints that may accept serialized data. Disable WDDX and AMF deserialization where not needed.
- Runtime Protection: Deploy RASP (Runtime Application Self-Protection) or Java deserialization filters to block known gadget chains.
- Web Application Firewall (WAF): Configure WAF rules to detect and block serialized Java objects and known exploitation signatures.
Detection
- Network: Monitor for unexpected outbound connections from ColdFusion servers (reverse shells, DNS exfiltration).
- Endpoint: Look for anomalous process spawning from the ColdFusion service account (e.g.,
cmd.exe,powershell.exe,bash). - Application Logs: Enable verbose ColdFusion logging and watch for deserialization exceptions or unusual input sizes to serialization endpoints.
- File Integrity: Monitor web directories for unexpected file drops (JSP or CFM web shells).
Assessment
This vulnerability is exceptionally dangerous due to its unauthenticated, network-accessible, low-complexity exploitation path. The EPSS score of 0.99984 indicates near-universal probability of exploitation in the wild, and its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog confirms active exploitation.
Key lessons:
- Deserialization remains a critical attack surface in Java-based enterprise applications. Developers must treat all serialized input as untrusted by default.
- Timely patching is non-negotiable for KEV-listed vulnerabilities, especially when exploitation requires no authentication.
References
Frequently asked questions
- What is CVE-2023-29300?
- Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
- How severe is CVE-2023-29300?
- CVE-2023-29300 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2023-29300 being actively exploited?
- Yes. CVE-2023-29300 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-01-08, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2023-29300?
- CVE-2023-29300 primarily affects Adobe Coldfusion. In total, 25 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-29300?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2023-29300 have an EU (EUVD) identifier?
- Yes. CVE-2023-29300 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-32875. It is also flagged as exploited in the EUVD (since 2024-01-08).
- When was CVE-2023-29300 published?
- CVE-2023-29300 was published on 2023-07-12 and last updated on 2026-06-17.
References
- https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-29300
Affected products (25)
- cpe:2.3:a:adobe:coldfusion:2018:-:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update1:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update10:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update11:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update12:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update13:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update14:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update15:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update16:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update2:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update3:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update4:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update5:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update6:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update7:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update8:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2018:update9:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2021:update6:*:*:*:*:*:*
- cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*
More vulnerabilities in Adobe Coldfusion
- CVE-2026-48283 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48276 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2025-54261 — Critical (CVSS 10.0): ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a…
All CVEs affecting Adobe Coldfusion →
Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities
- CVE-2026-41104 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Planetary Computer Pro allows an unauthorized attacker to disclose…
- CVE-2026-43633 — Critical (CVSS 10.0): HestiaCP versions 1.9.0 through 1.9.4 contain a deserialization vulnerability in the web terminal component caused by a…
- CVE-2026-33819 — Critical (CVSS 10.0): Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
- CVE-2026-20131 — Critical (CVSS 10.0): A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could…
- CVE-2026-25632 — Critical (CVSS 10.0): EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water…
- CVE-2025-14931 — Critical (CVSS 10.0): Hugging Face smolagents Remote Python Executor Deserialization of Untrusted Data Remote Code Execution Vulnerability.…
Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →