Adobe warns customers of a critical ColdFusion pre-authentication remote code execution vulnerability, tracked as CVE-2023-29300 (CVSS score 9.8), that is actively exploited in attacks in the wild.
“Adobe is aware that CVE-2023-29300 has been exploited in the wild in very limited attacks targeting Adobe ColdFusion,” reads a statement sent by the company to its customers.
An unauthenticated visitor can exploit the vulnerability to remotely execute commands on vulnerable Coldfusion 2018, 2021, and 2023 servers.
The issue is a deserialization of untrusted data that was discovered by the security researcher Nicolas Zilio from CrowdStrike.
