CVE-2023-29298
Adobe ColdFusion Improper Access Control Security feature bypass
Description
Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access the administration CFM and CFC endpoints. Exploitation of this issue does not require user interaction.
In plain language
AI Act nowCVE-2023-29298 is a ColdFusion security flaw that lets attackers reach restricted admin files without logging in; most small businesses should treat this as an urgent, patch-now risk because it has been used in real attacks.
CVE-2023-29298 is an Improper Access Control issue in Adobe ColdFusion that enables security feature bypass, allowing unauthenticated network access to restricted administrative CFM/CFC endpoints; it is listed in CISA KEV and has been exploited in the wild.
What to do now
- Check which Adobe ColdFusion version you run (and whether the admin endpoints/CFM-CFC handlers are reachable from your network).
- If you are on 2018u16 or earlier, upgrade ColdFusion to 2018u17.
- If you are on 2021u6 or earlier, upgrade ColdFusion to 2021u7.
- If you are on 2023.0.0.330468 or earlier, upgrade ColdFusion to 2023.0.0.330469.
- If you cannot upgrade immediately, apply the mitigations from Adobe’s APSB23-40 advisory and temporarily restrict network access to the affected admin endpoints until patched.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:NIntegrityA:NAvailabilityWeaknesses
Affected Products
Exploitability
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
References
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2023-29298 and every CVE in our database. Create a free account — no credit card required.
Create Free Account