Adobe ColdFusion Zero-Day Chain: Deserialization to Federal Agency Breach

Cybersecurity

Two ColdFusion flaws chained into unauthenticated RCE: a WDDX deserialization sink reached via ACL bypass compromised federal agencies and triggered a CISA emergency directive.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 8, 2024 · 9 min read

Two Adobe ColdFusion vulnerabilities disclosed in 2023 were chained by threat actors to achieve unauthenticated remote code execution on federal agency systems. CVE-2023-29300 is an improper deserialization flaw (CVSS 9.8) in ColdFusion's WDDX data format handling. CVE-2023-38205 is an access control bypass (CVSS 7.5) in the ColdFusion administrator endpoint. Together they allow an attacker to reach the deserialization sink without any prior authentication.

CVE-2023-29300: WDDX Deserialization RCE

ColdFusion supports WDDX (Web Distributed Data Exchange), a legacy XML-based serialization format for passing data between platforms. The deserialization routine for WDDX does not restrict the types that can be instantiated during deserialization. An attacker who can supply a malicious WDDX payload can cause the runtime to instantiate arbitrary Java classes and invoke methods, achieving remote code execution in the context of the ColdFusion application server.

CVE-2023-38205: ACL Bypass Enabling Unauthenticated Deserialization

The ColdFusion administrator servlet applies access controls via a filter that checks whether the request path is in an allowlist of public endpoints. A path manipulation technique, similar to that seen in Ivanti EPMM, allows requests to reach the WDDX-consuming endpoint while bypassing the filter. Combined with CVE-2023-29300, this yields unauthenticated RCE from the network. Adobe released CVE-2023-38205 specifically because attackers had already weaponized the bypass against the patch for CVE-2023-29300.

Affected Versions

• ColdFusion 2018: Update 17 and earlier (patched in Update 18)
• ColdFusion 2021: Update 7 and earlier (patched in Update 8)
• ColdFusion 2023: GA and earlier (patched in Update 2)
• ColdFusion 2016: End of life; no patches available

Federal Agency Compromise

CISA confirmed in its August 2023 advisory that threat actors exploited CVE-2023-29300 and CVE-2023-38205 to compromise at least two federal agencies. Post-exploitation activity included deployment of a web shell at a predictable path within the ColdFusion web root, exfiltration of configuration files containing database credentials, and lateral movement to database servers. CISA published Emergency Directive ED 23-02 requiring all FCEB agencies to patch within 72 hours or disconnect ColdFusion instances from agency networks.

The attackers knew exactly where to drop their web shell on ColdFusion servers, suggesting prior reconnaissance or tooling specifically built for ColdFusion targets rather than opportunistic scanning.

Observed Post-Exploitation Artifacts

• Web shell files with .cfm extension placed in wwwroot or ColdFusion web root
• Database configuration files (neo-datasource.xml) read and transmitted outbound
• New Windows local administrator accounts created via cmd.exe invocation
• Evidence of LDAP queries issued from the ColdFusion server account
• Outbound connections to IP ranges previously associated with known APT infrastructure

Detection Guidance

Monitor ColdFusion access logs for requests containing path manipulation sequences in the administrator URL. Enable ColdFusion's built-in administrator IP allowlisting feature, which restricts admin panel access to specific source addresses. Any new .cfm file appearing in the web root outside a deployment event should trigger an immediate investigation.

Remediation

1. Apply all three patches: CVE-2023-29300, CVE-2023-38205, and the related CVE-2023-38204
2. Restrict ColdFusion administrator access to specific IP ranges immediately
3. Disable WDDX deserialization if not required by application functionality
4. Audit web root for unexpected .cfm files
5. Rotate all database credentials stored in ColdFusion datasource configuration
6. Enable ColdFusion application sandbox to reduce RCE impact scope

Why Legacy Application Servers Carry Disproportionate Risk

• ColdFusion's WDDX support is decades old and rarely audited for modern threat models
• Federal agencies and legacy enterprises may run ColdFusion versions no longer receiving patches
• Application server processes often run with elevated OS privileges inherited from installation defaults
• Conduct a full inventory of all ColdFusion deployments including version and patch level

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.