CVE-2023-38203

CRITICAL
2023-07-20 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 26, 2026 - 11:19 vuln.today
Patch Released
Oct 23, 2025 - 11:13 nvd
Patch available
Added to CISA KEV
Oct 23, 2025 - 11:13 cisa
CISA KEV
CVE Published
Jul 20, 2023 - 16:15 nvd
CRITICAL 9.8

Description

Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

Analysis

Adobe ColdFusion contains a second deserialization vulnerability enabling unauthenticated RCE, disclosed shortly after CVE-2023-29300 and similarly exploited against government and enterprise targets.

Technical Context

The CWE-502 deserialization flaw provides a second exploitation path for unauthenticated RCE through ColdFusion's serialization endpoints. Even organizations that patched CVE-2023-29300 remained vulnerable until this separate patch was applied.

Affected Products

['Adobe ColdFusion 2018u17 and earlier', 'Adobe ColdFusion 2021u7 and earlier', 'Adobe ColdFusion 2023u1 and earlier']

Remediation

Apply all ColdFusion security updates. Both CVE-2023-29300 and CVE-2023-38203 must be patched. Scan for web shells from both exploitation campaigns.

Priority Score

203
Low Medium High Critical
KEV: +50
EPSS: +94.2
CVSS: +49
POC: 0

Share

CVE-2023-38203 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy