"Adobe Issues Urgent Warning on Exploited ColdFusion RCE Bug"

Adobe has issued a warning about a critical pre-authentication remote code execution (RCE) vulnerability, CVE-2023-29300, in ColdFusion that is actively being exploited in attacks. The vulnerability allows unauthenticated visitors to execute commands on vulnerable ColdFusion servers. Although initially not exploited in the wild, Adobe has confirmed limited attacks. The details of the exploitation are unknown, but a proof-of-concept exploit has been published. Adobe recommends upgrading to the latest version of ColdFusion to patch the vulnerability, while researchers warn that it can be combined with another vulnerability, CVE-2023-29298, to bypass lockdown mode. Adobe has not yet responded to inquiries about the active exploitation.