Security experts have issued a warning over a potentially ‘incomplete’ fix for a security vulnerability in Adobe ColdFusion.
Researchers at Rapid7 have raised concerns that security patches issued for a series of vulnerabilities could still be placing users at risk.
Adobe released fixes for a series of vulnerabilities earlier this month affecting ColdFusion, including an access control bypass vulnerability - tracked as CVE-2023-29298 and discovered by Rapid7.
Researchers said that, based on observations, threat actors were found to be actively exploiting CVE-2023-29298 in customer environments.
“Rapid7 managed services teams have observed exploitation of Adobe ColdFusion in multiple customer environments,” the firm said in a blog post.
“The attacks our team has responded to thus far appear to be chaining CVE-2023-29298, a Rapid7-discovered access control bypass in ColdFusion that was disclosed on July 11, with an additional vulnerability.”
RELATED RESOURCE
Unified Endpoint Management and Security in a work-from-anywhere world
Discover new ways to mitigate vulnerabilities
Behaviors observed by researchers were found to be “consistent” with a separate zero-day exploit published - and later removed - by Project Discovery on July 12.
According to Rapid7, it appears that Project Discovery initially believed it discovered an exploit, tracked as CVE-2023-29300 - a deserialization vulnerability - that would enable arbitrary code execution.
However, this was then found to have been a zero-day exploit chain that Adobe subsequently fixed.
“The Project Discovery team probably did not realize their discovery was a new zero-day vulnerability and (we assume) took down their blog while Adobe fixed the flaw,” the firm said.
Warning issued over incomplete fix
Although Adobe issued a raft of fixes for these vulnerabilities last week, Rapid7’s analysis revealed that the patch provided is “incomplete”.
This means that a modified exploit could still be leveraged to work against the latest version of ColdFusion.
Similarly, researchers warned that, at present, there is no mitigation for customers vulnerable to CVE-2023-29298.
“Rapid7 researchers determined earlier today that the fix Adobe provided for CVE-2023-29298 on 11 July is incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion - released July 14).
“We have notified Adobe that their patch is incomplete.”
Researchers noted, however, that for the incomplete fix to be harnessed effectively, threat actors would still be reliant on a secondary vulnerability for “full execution on target systems”.
The firm urged customers to still update to the latest version of ColdFusion to mitigate the secondary vulnerability and prevent exploitation.
-
AWS targets IT modernization gains with new agentic AI features in TransformNews New custom agents aim to speed up legacy code modernization and mainframe overhauls
-
HSBC partners with Mistral to fuel bank-wide generative AI adoptionNews The multi-year, strategic partnership will focus on transforming a range of services and tasks from customer-facing to fraud detection and more
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
