Adobe ColdFusion Access Control Bypass Attack

Released: Jan 16, 2024


High Severity

Adobe Vendor

Vulnerability Type


Critical-level detections in the wild

FortiGuards labs observed extremely widespread exploitation attempts relating to security bypass vulnerabilities in Adobe ColdFusion. Successful exploitation could result in access of the ColdFusion Administrator endpoints. Learn More »

Common Vulnerabilities and Exposures

CVE-2023-26347
CVE-2023-38205
CVE-2023-29298
CVE-2023-38203

Background

Adobe ColdFusion is a commercial rapid web-application development computing platform to rapidly build, test and deploy web applications. Previously, in Aug 2023, we saw it being actively targeted by the attackers to exploit CVE-2023-26359, CVE-2023-26360 which lead to the release of an Outbreak Alert at that time, to read the full Outbreak visit: https://www.fortiguard.com/outbreak-alert/adobe-coldfusion-code-execution

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.


  • January 09, 2024: FortiGuard Labs observed critical level of continued attacks on Adobe Coldfusion with IPS detections reaching upto 50,000+ unique detections. Users of Adobe ColdFusion are advised to apply patches as per vendor guidelines as soon as possible to mitigate any risk completely, if not already done.

  • January 08, 2024: CVE-2023-38203- Adobe ColdFusion Deserialization of Untrusted Data Vulnerability, was added to CISA KEV list and has been seen to be actively exploited.

  • November 28, 2023: CVE-2023-26347- Another Access Control Bypass vulnerability was announced and Adobe released patches for it.

    https://helpx.adobe.com/ca/security/products/coldfusion/apsb23-52.html
  • July 20, 2023: Adobe ColdFusion vulnerabilities (CVE-2023-38205, CVE-2023-29298) were added to CISA's KEV catalog.

  • July 19, 2023: Adobe released security updates for ColdFusion versions 2023, 2021 and 2018 to fix (CVE-2023-38205). At the time of the release, Adobe mentioned that CVE-2023-38205 has been exploited in the wild and has been seen in limited attacks. Please note, CVE-2023-38205 was released as a fix for incomplete patch for CVE-2023-29398.

    https://helpx.adobe.com/security/products/coldfusion/apsb23-47.html

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.


PROTECT
  • Vulnerability

  • IPS

  • Web App Security

DETECT
  • IOC

  • Outbreak Detection

  • Threat Hunting

  • Playbook

RESPOND
  • Assisted Response Services

  • Automated Response

RECOVER
  • NOC/SOC Training

  • End-User Training

IDENTIFY
  • Attack Surface Hardening

  • Vulnerability Management

  • Business Reputation

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.


Loading ...

Indicators of compromise Indicators of compromise
IOC Indicator List
Indicator Type Status
195.58.48.155 ip Active
redteam.tf domain Active
5.182.36.4 ip Active
23.224.55.116 ip Active
23.224.55.116:443 ip Active
146.70.113.100 ip Active
146.70.113.100:443 ip Active
146.70.113.121 ip Active
146.70.113.121:443 ip Active
146.70.113.122 ip Active
146.70.113.122:443 ip Active
146.70.113.123 ip Active
146.70.113.123:443 ip Active
185.100.233.185 ip Active
185.100.233.185:443 ip Active
185.100.233.194 ip Active
185.100.233.194:443 ip Active
185.100.233.197 ip Active
185.100.233.197:443 ip Active
185.100.233.198 ip Active
185.100.233.198:443 ip Active
185.100.233.201 ip Active
185.100.233.201:443 ip Active
185.100.233.202 ip Active
185.100.233.202:443 ip Active
45.11.182.73 ip Active
45.11.182.73:443 ip Active
45.155.7.21 ip Active
45.155.7.21:443 ip Active
08d2d815ff070b13a9f3b670b2132989c349623db2de154... file Active
62.233.50.13 ip Active
rlgt1hin2gdk2p3teyhuetitrkxblg95.oastify.com domain Active
103.255.177.55 ip Active
103.255.177.55:6895 ip Active
81.68.197.3 ip Active
81.68.214.122 ip Active
82.156.147.183 ip Active
cjb0dg4dmeg3qctoj9ugtdc7tpxgxnk34.oast.fun domain Active
cjfpt8dh4km4k6tq39dgub7j3s3m8xwpm.oast.fun domain Active
cjg5lgf0fpfcboms8k10g1cw8ax88jsox.fireinteractsh.com domain Active
cjjp06m85s4s77tfcg103q99d5wftcc8j.oast.pro domain Active
h4ck4fun.xyz domain Active
http://101.43.20.5:13338/ url Active
http://103.255.177.55:6895/fxgdzcsg.exe url Active
http://103.255.177.55:6895/llli url Active
http://103.255.177.55:6895/sffvsf.exe url Active
http://185.212.47.109/60000 url Active
http://cj20amuicc8sb5d8cag0z9qwia3azc9yb.h4ck4f... url Active
http://cj29gt5eu2jkr06q4n00muiz4suhgs6t6.ish.re... url Active
http://cjb0dg4dmeg3qctoj9ugtdc7tpxgxnk34.oast.f... url Active
http://cjfmau9d191muemej9ugoya4axamrfts1.mooo-n... url Active
http://cjfpt8dh4km4k6tq39dgub7j3s3m8xwpm.oast.f... url Active
http://cjg5lgf0fpfcboms8k10g1cw8ax88jsox.firein... url Active
http://cjjp06m85s4s77tfcg103q99d5wftcc8j.oast.p... url Active
mooo-ng.com domain Active
101.43.20.5 ip Active
185.212.47.109 ip Active
0bc225be15a50e1f718733feb9f6ad4c1bc6513acfd6348... file Active
0f888a51e70f8d92e391999f4a37fbe3bcca770cd67dc0e... file Active
26c8a6b4b816e18e611942111e401f339dc98395 file Active
385320ddd8254a49669bf3c31b28fde77601f47c file Active
3a0cd87b1b6a112aa564169185f83248e23383c5 file Active
48c62e2b8e99ba7ebdaa50da7b84de014122f8eb file Active
60e2d81176b33fc198a495ffd8dc70e2052bd0452cfa2ba... file Active
6be4f82c2f5dc46ebfa74a77fb550448fcac12d5 file Active
7068468b8054fdcef61e2c740fb51b30007d2916e8faa65... file Active
720ef38246a0cdb12212deeadcd93de2879e887712b47e2... file Active
759b9d1ea843596ab32ad401ffa1c9d09e735b56 file Active
8984b4a0739c4a8645447b13ea13a1c8e900b8b71e56f5a... file Active
a543ea56ecc63ec35e925e79d7c51558557b3ed1 file Active
a77fd996290cb37b7368f0b54774d8977c97fb7c file Active
b1b8664a09a3157c656a2b7d920a8bf8f802ee026b3fdf0... file Active
b2d5c047e60b2a183d30ac92b1dc73ac5ba58bbe file Active
c2e896570e194ee4003f9e696a97c04b64a6e14e file Active
c8c03e40cad417e9a93aa062004bb5748ba9989c2710055... file Active
d1d2df9dd639423ca622c20da49ede99b8405079d49215e... file Active
mc2a1coghq275g3y1qhnp5u2otukid62.oastify.com domain Active
oh9c6etims79ai806smpu7z4tvzmnhb6.oastify.com domain Active
Indicators of compromise Indicators of compromise
IOC Threat Activity

Last 30 days

Chg

Avg 0

References

Sources of information in support and relation to this Outbreak and vendor.