In response to allegations of exploits aimed against ColdFusion pre-authentication remote code execution (RCE) vulnerabilities, Adobe released a trio of security upgrades in July of last year: APSB23-40, APSB23-41, and APSB23-47. Project Discovery has provided an extensive examination of those exploits, which includes a critical vulnerability in the WDDX deserialization procedure in Adobe ColdFusion 2021.
The Adobe ColdFusion deserialization of untrusted data vulnerability, which carries a high risk of arbitrary code execution, has nevertheless been repeatedly exploited since those patches, according to FortiGuard Labs IPS telemetry data (Figure 1). These attacks involve probing, setting up reverse shells, and distributing malware for later use. This paper offers a thorough examination of the Adobe ColdFusion vulnerability used by this attack group.