Organizations big and small are once again scrambling to patch critical vulnerabilities that are already under active exploitation and cause the kind of breaches coveted by ransomware actors and nation-state spies.
The exploited vulnerabilities—one in Adobe ColdFusion and the other in various Citrix NetScaler products—allow for the remote execution of malicious code. Citrix on Tuesday patched the vulnerabilities, but not before threat actors exploited them. The most critical vulnerability, tracked as CVE-2023-3519, lurks in Citrix’s NetScaler ADC and NetScaler Gateway products. It carries a severity rating of 9.8 out of a possible 10 because it allows hackers to execute code remotely with no authentication required.
“This product line is a popular target for attackers of all skill levels, and we expect that exploitation will increase quickly,” researchers from Rapid7, the security firm that detected the attacks, warned Tuesday.
Yes, fusion meltdown is possible
The situation with Adobe ColdFusion is even more fraught. According to Rapid7, hackers are exploiting a 9.8 vulnerability tracked as CVE-2023-38203, in combination with CVE-2023-29298, a second ColdFusion vulnerability. Adobe issued a patch for the latter vulnerability on July 11, but according to Rapid7, the patch was incomplete. That means that CVE-2023-29298—which allows hackers to access webserver resources that normally should be off limits to unauthenticated parties, can still be exploited with trivial changes to the already released proof-of-concept exploit. An Adobe representative said the company is working on a complete fix now.
The botched patch isn’t the only fly to badly taint the Adobe security ointment. Last Wednesday—one day following the release of the incomplete fix—security firm Project Discovery disclosed another ColdFusion vulnerability that, according to Rapid7 company researchers appeared to believe Adobe had fixed a few days earlier but appears to be CVE-2023-38203 but mistakenly listed as the just-patched CVE-2023-29300.
In fact, Adobe had not patched the mislabeled vulnerability, which Project Discovery warned posed a “significant threat, allowing malicious actors to execute arbitrary code on vulnerable ColdFusion 2018, 2021, and 2023 installations without the need for prior authentication.” In effect, the security company had inadvertently dropped a critical zero-day on users already contending with the threat posed by the incomplete patch. Project Discovery promptly removed the disclosure post, and two days later, Adobe patched the vulnerability.
But by then, the moves were too late. Rapid7 said the two vulnerabilities—one that wasn’t properly patched and the other that was mistakenly disclosed two days prior to Adobe releasing a fix—are still being exploited on vulnerable servers. Fellow security firm Qualys further reported that in addition to those two vulnerabilities, attackers are also exploiting CVE-2023-29300, a separate ColdFusion vulnerability Adobe fixed last week. It also carries a 9.8 severity rating.
Both Rapid7 and Qualys said that the ColdFusion vulnerabilities are being exploited to install webshells, which are browser-like windows that allow people to remotely issue commands and execute code on a server. Neither security company provided further details about the attacks or the parties behind them.
People trying to assess the potential damage from failing to timely patch the vulnerabilities in Citrix’s NetScaler products or Adobe’s ColdFusion need look no further than the fallout from the recent mass exploitations of similarly critical vulnerabilities in two other widely used enterprise applications. As of Monday, critical flaws in the MOVEit file transfer software had led to the breach of 357 separate organizations, according to Emsisoft security analyst Brett Callow. Casualties include multiple government agencies.
Exploits of vulnerabilities in GoAnywhere, a different file-transfer app for enterprises, has claimed more than 100 organizations. Patches for both vulnerabilities have since been widely installed. Organizations relying on either ColdFusion or NetScaler should follow suit.