CVE-2023-38203

CVE-2023-38203 is a critical-severity vulnerability in Adobe Coldfusion with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-01-08). The underlying weakness is classified as CWE-502.

Key facts

Description

Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

CVE-2023-38203: Adobe ColdFusion Critical Deserialization RCE (KEV)

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE ID CVE-2023-38203
CVSS 3.1 9.8 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWE CWE-502 – Deserialization of Untrusted Data
EPSS 0.97003 (99.88th percentile)
CISA KEV Yes – added 2024-01-08
Published 2023-07-20
Assigner Adobe PSIRT ([email protected])

Summary

Adobe ColdFusion versions 2018 Update 17 and earlier, 2021 Update 7 and earlier, and 2023 Update 1 and earlier contain a deserialization of untrusted data vulnerability. An unauthenticated remote attacker can exploit this flaw to achieve arbitrary code execution without any user interaction.

Background

Adobe ColdFusion is a commercial rapid web-application development platform that uses a proprietary markup language (CFML) and runs on the Adobe ColdFusion application server. It is widely deployed in enterprise environments for building data-driven web applications. The platform uses Java under the hood, and like many Java-based frameworks, it relies on serialization/deserialization mechanisms for object persistence, session management, and inter-process communication.

Root Cause

CWE-502: Deserialization of Untrusted Data

The vulnerability stems from the application deserializing data from an untrusted source without adequate validation or sanitization. In Java-based environments, insecure deserialization is a well-known attack class: when an attacker can control serialized object data that the application later deserializes, they can trigger unintended code paths, gadget chains, and ultimately achieve remote code execution. The specific deserialization entry point in ColdFusion is not detailed in the source data, but the nature of the flaw is consistent with classic Java deserialization attacks against frameworks that accept serialized objects over the network or via request parameters.

Impact

The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H translates to a score of 9.8 (Critical).

  • Attack Vector (AV): Network — Exploitable remotely over the internet.
  • Attack Complexity (AC): Low — No special conditions or advanced techniques required.
  • Privileges Required (PR): None — No authentication needed.
  • User Interaction (UI): None — Fully automated exploitation possible.
  • Scope (S): Unchanged — The vulnerable component is the only one impacted.
  • Confidentiality, Integrity, Availability (C/I/A): High — Full compromise of the target system is possible.

This is a maximum-severity unauthenticated RCE in a widely deployed enterprise web platform.

Exploitation Walkthrough

Ethics Caveat: The following is a defensive, high-level description of how this class of vulnerability is exploited. It is intended to help defenders understand attack surface and detection opportunities. No working exploit code is provided, and this information should be used only for authorized security testing and defensive hardening.

  1. Reconnaissance: The attacker identifies a ColdFusion instance, often through version fingerprinting (e.g., /CFIDE/administrator/, HTTP headers, or error pages).
  2. Gadget Chain Identification: The attacker sends a crafted serialized payload designed to trigger a known deserialization gadget chain within the ColdFusion classpath or its dependencies.
  3. Payload Delivery: The payload is delivered via the network vector that triggers deserialization (the specific ColdFusion endpoint or protocol is not detailed in the source data).
  4. Code Execution: Upon deserialization, the gadget chain executes attacker-controlled code, typically spawning a reverse shell or deploying a web shell for persistent access.

Because this vulnerability requires no user interaction and no privileges, it is trivially wormable and has been actively exploited in the wild — as confirmed by its inclusion in the CISA KEV catalog.

Affected and Patched Versions

Affected (per source data):

  • Adobe ColdFusion 2018 – Update 17 and earlier
  • Adobe ColdFusion 2021 – Update 7 and earlier
  • Adobe ColdFusion 2023 – Update 1 and earlier

Patched Versions: The exact patch levels are not specified in the source data. Administrators should consult Adobe Security Bulletin APSB23-41 for the latest updates and apply all security patches released after July 2023.

Remediation

  1. Patch Immediately: Apply the security updates from Adobe APSB23-41 without delay. This vulnerability is under active exploitation.
  2. Network Segmentation: Restrict ColdFusion administrative interfaces and application endpoints to trusted networks only. Do not expose ColdFusion servers directly to the internet unless absolutely necessary.
  3. Web Application Firewall (WAF): Deploy WAF rules to detect and block common deserialization attack patterns. While not a complete fix, this adds a compensating control.
  4. Input Validation: Where custom deserialization logic exists, implement strict allow-listing of expected classes and avoid deserializing untrusted data.
  5. Runtime Application Self-Protection (RASP): Consider RASP solutions that can detect anomalous deserialization behavior in real time.

Detection

  • Network: Monitor for unexpected serialized object traffic (e.g., Java serialized streams, unusual POST body patterns) targeting ColdFusion endpoints.
  • Endpoint: Look for anomalous process spawning from the ColdFusion application server (e.g., cmd.exe, powershell.exe, or unexpected child processes).
  • Logs: Audit ColdFusion access logs for unusual request patterns, especially to administrative or deserialization-related endpoints. Correlate with web server and application logs.
  • Threat Intelligence: Cross-reference your external-facing ColdFusion assets against CISA KEV and EPSS scores to prioritize patching.

Assessment

With an EPSS score of 0.97003 (99.88th percentile) and confirmed CISA KEV status since January 2024, CVE-2023-38203 represents an exceptionally high-risk vulnerability. The combination of unauthenticated network access, low attack complexity, and active exploitation makes this a textbook "patch now" issue.

Key Lessons:

  1. Deserialization is a persistent Achilles' heel in Java-based enterprise stacks. Frameworks that accept serialized objects from untrusted sources remain prime targets.
  2. EPSS + KEV should drive prioritization. Even without a published PoC, the KEV flagging and near-maximum EPSS probability indicate that threat actors have weaponized this flaw at scale.

References

Frequently asked questions

What is CVE-2023-38203?
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
How severe is CVE-2023-38203?
CVE-2023-38203 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-38203 being actively exploited?
Yes. CVE-2023-38203 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-01-08, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-38203?
CVE-2023-38203 primarily affects Adobe Coldfusion. In total, 28 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-38203?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-38203 have an EU (EUVD) identifier?
Yes. CVE-2023-38203 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-42023. It is also flagged as exploited in the EUVD (since 2024-01-08).
When was CVE-2023-38203 published?
CVE-2023-38203 was published on 2023-07-20 and last updated on 2026-06-17.

References

Affected products (28)

More vulnerabilities in Adobe Coldfusion

All CVEs affecting Adobe Coldfusion →

Other CWE-502 (Deserialization of Untrusted Data) vulnerabilities

Browse all CWE-502 (Deserialization of Untrusted Data) vulnerabilities →