Actively exploited in the wild
Adobe ColdFusion Deserialization of Untrusted Data Vulnerability
Adobe — ColdFusion · Listed in the CISA KEV since 2024-01-08. This indicates confirmed attacks in production environments.
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
CVE-2023-38203
CriticalCVSS 9.8KEVExploitation Probability (EPSS)
Very high risk100th percentile — higher than 100% of all known CVEs
Summary
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier), and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
Risk Assessment
Exploitation of this vulnerability could lead to unauthorized access and full control over the system, posing a serious security threat to the organization.
Recommendation
It is recommended to update Adobe ColdFusion to the latest version to mitigate the risks associated with this vulnerability.
Original NVD description (English source)
Adobe ColdFusion versions 2018u17 (and earlier), 2021u7 (and earlier) and 2023u1 (and earlier) are affected by a Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.

