CVE-2023-44350
📋 TL;DR
This vulnerability allows attackers to execute arbitrary code on Adobe ColdFusion servers by sending maliciously crafted data that gets improperly deserialized. All ColdFusion installations running affected versions are vulnerable, and exploitation requires no user interaction.
💻 Affected Systems
- Adobe ColdFusion
📦 What is this software?
Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →Coldfusion by Adobe
Adobe ColdFusion is a commercial rapid web application development platform and server providing a Java-based runtime environment for building dynamic websites, web applications, REST APIs, and enterprise integrations. Deployed across government agencies, financial services, healthcare organizations...
Learn more about Coldfusion →⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to install malware, steal data, pivot to other systems, or establish persistent access.
Likely Case
Remote code execution leading to web server compromise, data exfiltration, or ransomware deployment.
If Mitigated
Attack blocked at network perimeter or detected before successful exploitation.
🎯 Exploit Status
CVSS 9.8 indicates trivial exploitation with high impact. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.6 for ColdFusion 2023, 2021.12 for ColdFusion 2021
Vendor Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html
Restart Required: Yes
Instructions:
1. Download appropriate patch from Adobe Security Bulletin APSB23-52. 2. Stop ColdFusion service. 3. Apply patch. 4. Restart ColdFusion service. 5. Verify version update.
🔧 Temporary Workarounds
Network segmentation
allRestrict access to ColdFusion servers to only trusted IP addresses
WAF rule implementation
allDeploy web application firewall rules to block deserialization attacks
🧯 If You Can't Patch
- Isolate affected systems from internet and restrict internal network access
- Implement strict monitoring and alerting for suspicious ColdFusion activity
🔍 How to Verify
Check if Vulnerable:
Check ColdFusion version in administrator console or via cfusion/lib/version.txt fileCheck Version:
On Windows: type "C:\ColdFusion\cfusion\lib\version.txt" | On Linux: cat /opt/coldfusion/cfusion/lib/version.txtVerify Fix Applied:
Verify version is 2023.6 or higher for CF2023, or 2021.12 or higher for CF2021📡 Detection & Monitoring
Log Indicators:
- Unusual Java deserialization errors in application logs
- Suspicious POST requests to ColdFusion endpoints
- Unexpected process creation from ColdFusion service
Network Indicators:
- Unusual outbound connections from ColdFusion server
- Traffic patterns indicating reverse shells or data exfiltration
SIEM Query:
source="coldfusion.log" AND ("deserialization" OR "java.io" OR suspicious POST request)