CVE Tools

CVE-2023-29298

Adobe ColdFusion Improper Access Control Security feature bypass

Published: Jul 12, 2023Updated: Oct 23, 2025 Sources: CVE List NVD BDUCWE-284

Description

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.

In plain language

AI Act now

CVE-2023-29298 is a ColdFusion security flaw that lets attackers reach restricted admin files without logging in; most small businesses should treat this as an urgent, patch-now risk because it has been used in real attacks.

Executive summary

CVE-2023-29298 is an Improper Access Control issue in Adobe ColdFusion that enables security feature bypass, allowing unauthenticated network access to restricted administrative CFM/CFC endpoints; it is listed in CISA KEV and has been exploited in the wild.

If affected, business impact
Unauthorized admin file accessComplete application compromise riskData theft riskService disruption risk

What to do now

  1. Check which Adobe ColdFusion version you run (and whether the admin endpoints/CFM-CFC handlers are reachable from your network).
  2. If you are on 2018u16 or earlier, upgrade ColdFusion to 2018u17.
  3. If you are on 2021u6 or earlier, upgrade ColdFusion to 2021u7.
  4. If you are on 2023.0.0.330468 or earlier, upgrade ColdFusion to 2023.0.0.330469.
  5. If you cannot upgrade immediately, apply the mitigations from Adobe’s APSB23-40 advisory and temporarily restrict network access to the affected admin endpoints until patched.
Patch / advisory Some work to apply

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:HI:NA:N
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:NIntegrity
None
A:NAvailability
None

Weaknesses

Affected Products

and 2 more affected products View all →

Exploitability

CISA Known Exploited Vulnerability
Added to KEV:Jul 20, 2023
Remediation due:Aug 10, 2023

Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Official Patch Available

References

and 1 more references View all →
1

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2023-29298 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows