CVE Catalog

Actively exploited in the wild

Adobe ColdFusion Deserialization of Untrusted Data Vulnerability

Adobe — ColdFusion · Listed in the CISA KEV since 2024-01-08. This indicates confirmed attacks in production environments.

Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CVE-2023-38203

CriticalCVSS 9.8KEV
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
97.00%

100th percentile — higher than 100% of all known CVEs

Summary

Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier), and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

Risk Assessment

Exploitation of this vulnerability could lead to unauthorized access and full control over the system, posing a serious security threat to the organization.

Recommendation

It is recommended to update Adobe ColdFusion to the latest version to mitigate the risks associated with this vulnerability.

Original NVD description (English source)

Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS