CVE-2023-29300

CRITICAL
2023-07-12 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 11:19 vuln.today
Added to CISA KEV
Oct 23, 2025 - 11:13 cisa
CISA KEV
CVE Published
Jul 12, 2023 - 16:15 nvd
CRITICAL 9.8

Description

Adobe ColdFusion versions 2018u16 (and earlier), 2021u6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

Analysis

Adobe ColdFusion 2023, 2021, and 2018 contain a Java deserialization vulnerability allowing unauthenticated remote code execution, part of a series of critical ColdFusion flaws actively exploited in 2023.

Technical Context

The CWE-502 deserialization flaw processes untrusted serialized Java objects through ColdFusion's WDDX processing. Attackers craft requests containing malicious serialized payloads that execute arbitrary code during deserialization on the ColdFusion server.

Affected Products

['Adobe ColdFusion 2018u16 and earlier', 'Adobe ColdFusion 2021u6 and earlier', 'Adobe ColdFusion 2023.0.0.330468 and earlier']

Remediation

Apply Adobe security updates immediately. Restrict external access to ColdFusion admin and WDDX endpoints. Review for web shells. Monitor ColdFusion processes for suspicious child process execution.

Priority Score

203
Low Medium High Critical
KEV: +50
EPSS: +93.7
CVSS: +49
POC: 0

Share

CVE-2023-29300 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy