CVE-2023-29298: Improper Access Control Vulnerability in Adobe Cold Fusion Leveraged to Deliver Web Shells

Share :


In July 2023, Adobe fixed a high severity access control bypass vulnerability (CVE-2023-29298, CVSS 7.5) in Adobe ColdFusion. Adobe ColdFusion is a web application development platform that uses the ColdFusion Markup Language (CFML) for server-side scripting. A threat actor can exploit this access control bypass vulnerability to log into a ColdFusion Administrator account, brute force credentials, or leak sensitive information. Adobe has stated they are aware that this vulnerability has been exploited in limited attacks.

Rapid7 additionally observed this vulnerability being chained with CVE-2023-38203 to install web shells. Subsequently, Rapid7 also found a bypass for the CVE-2023-29298 (now tracked as CVE-2023-38205) patch which was observed already being exploited in attacks.

Recommendations for CVE-2023-29298

Update Adobe ColdFusion to Fixed Version

Arctic Wolf strongly recommends upgrading Adobe ColdFusion to the latest fixed version.


Affected Version

Fixed Version

Adobe ColdFusion 2018

Update 16 and earlier versions

Update 19

Adobe ColdFusion 2021

Update 6 and earlier versions

Update 9

Adobe ColdFusion 2023

Update 2 and earlier versions

Update 3


Please follow your organization’s patching and testing guidelines to avoid operational impact.


  1. Adobe Security Bulletin
  2. Adobe 2nd Security Bulletin
  3. Web Shells
Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security, holds a degree in Cybersecurity Engineering, and is a CISSP.
Share :
Table of Contents
Subscribe to our Monthly Newsletter