Security experts have issued a warning over a potentially ‘incomplete’ fix for a security vulnerability in Adobe ColdFusion.
Researchers at Rapid7 have raised concerns that security patches issued for a series of vulnerabilities could still be placing users at risk.
Adobe released fixes for a series of vulnerabilities earlier this month affecting ColdFusion, including an access control bypass vulnerability - tracked as CVE-2023-29298 and discovered by Rapid7.
Researchers said that, based on observations, threat actors were found to be actively exploiting CVE-2023-29298 in customer environments.
“Rapid7 managed services teams have observed exploitation of Adobe ColdFusion in multiple customer environments,” the firm said in a blog post.
“The attacks our team has responded to thus far appear to be chaining CVE-2023-29298, a Rapid7-discovered access control bypass in ColdFusion that was disclosed on July 11, with an additional vulnerability.”
Unified Endpoint Management and Security in a work-from-anywhere world
Discover new ways to mitigate vulnerabilities
Behaviors observed by researchers were found to be “consistent” with a separate zero-day exploit published - and later removed - by Project Discovery on July 12.
According to Rapid7, it appears that Project Discovery initially believed it discovered an exploit, tracked as CVE-2023-29300 - a deserialization vulnerability - that would enable arbitrary code execution.
However, this was then found to have been a zero-day exploit chain that Adobe subsequently fixed.
“The Project Discovery team probably did not realize their discovery was a new zero-day vulnerability and (we assume) took down their blog while Adobe fixed the flaw,” the firm said.
Warning issued over incomplete fix
Although Adobe issued a raft of fixes for these vulnerabilities last week, Rapid7’s analysis revealed that the patch provided is “incomplete”.
This means that a modified exploit could still be leveraged to work against the latest version of ColdFusion.
Similarly, researchers warned that, at present, there is no mitigation for customers vulnerable to CVE-2023-29298.
“Rapid7 researchers determined earlier today that the fix Adobe provided for CVE-2023-29298 on 11 July is incomplete, and that a trivially modified exploit still works against the latest version of ColdFusion - released July 14).
“We have notified Adobe that their patch is incomplete.”
Researchers noted, however, that for the incomplete fix to be harnessed effectively, threat actors would still be reliant on a secondary vulnerability for “full execution on target systems”.
The firm urged customers to still update to the latest version of ColdFusion to mitigate the secondary vulnerability and prevent exploitation.
