How to Fix CVE-2023-29300: Adobe ColdFusion Wddx Deserialization RCE

*By Sai Kiran Pandrala*

⚠️ Patch and apply lockdown. ColdFusion has had multiple deserialization CVEs in succession. Apply the latest update and the Adobe ColdFusion Lockdown Guide for defense-in-depth.

What is CVE-2023-29300?

Adobe ColdFusion's Wddx (Web Distributed Data eXchange) deserializer accepts untrusted input on certain endpoints. An attacker can submit a crafted Wddx packet that causes ColdFusion to instantiate attacker-controlled Java classes, leading to remote code execution as the ColdFusion service account.

ColdFusion is heavily used by government agencies, universities, and legacy enterprise web apps. RCE on a ColdFusion server typically gives the attacker the database connection strings, internal API credentials, and any uploaded customer documents the app handles.

Am I affected?

You are affected if you run Adobe ColdFusion at:

• 2018 train: below Update 17
• 2021 train: below Update 7
• 2023 train: below Update 1

ColdFusion 11 and earlier are end-of-life, no patch is coming. The supported path is to upgrade to a current ColdFusion release.

Check your ColdFusion version: log into the ColdFusion Administrator → Server Settings → Settings Summary, or view <cfroot>/lib/version.properties.

How to fix CVE-2023-29300

1. Open Adobe security bulletin APSB23-40 linked below.
2. Download the latest cumulative update for your ColdFusion train from the Adobe ColdFusion download page.
3. Back up the ColdFusion install (the <cfroot> directory and any associated database).
4. Stop ColdFusion:

# Vendor advisory: https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html
   # Windows
   net stop "ColdFusion 2023 Application Server"
   # Linux
   <cfroot>/cfusion/bin/coldfusion stop

1. Apply the update by running the downloaded JAR:

   java -jar hotfix-XXX.jar

1. Start ColdFusion and verify the version in Settings Summary.
2. Apply the ColdFusion Lockdown Guide for your release. Adobe publishes a separate lockdown PDF that walks through file permissions, account separation, and service hardening that closes secondary attack paths.

Apply the Microsoft security update

# The exact KB number is listed in the Microsoft advisory: https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html
# Confirm the patch is missing on this host
Get-Hotfix -Id <KB-from-advisory> -ErrorAction SilentlyContinue

# Install the rollup that ships the fix
Install-Module PSWindowsUpdate -Force -SkipPublisherCheck
Import-Module PSWindowsUpdate
Get-WindowsUpdate -KBArticleID <KB-from-advisory> -AcceptAll -Install -AutoReboot

# Verify the patch is now present
Get-Hotfix -Id <KB-from-advisory>

# Inventory missing patches across a Windows fleet via Ansible (winrm)
ansible windows -m win_updates -a "category_names=SecurityUpdates state=installed"

Verify the fix landed

# 1. Confirm the running version matches the fixed-in version from the advisory:
#    https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html
#    Use the platform-specific version probe above.

# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
#    The scanner should no longer flag CVE-2023-29300 on the patched target.

# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"

If you can't patch immediately

• Block external access to the ColdFusion Administrator (default /CFIDE/administrator/) at any reverse proxy or web server in front of ColdFusion. Administrator paths should not be reachable from the public internet under any condition.
• Restrict access to /CFIDE/ and /cfusion/ paths to known administrative IPs.
• Disable the Wddx tag and function set if your application does not use it: set Server Settings → Settings → Disable internal ColdFusion Java service to true (test in staging first; some apps rely on internal Java services).

These reduce exposure. The patch is the only remediation.

How to verify the fix worked

1. ColdFusion Administrator → Server Settings → Settings Summary shows the patched update level.
2. Run a vulnerability scan against the ColdFusion URL. CVE-2023-29300 detection should clear.

Frequently asked questions

Is CVE-2023-29300 actively exploited?

Yes. CVE-2023-29300 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.

What is the CVSS severity of CVE-2023-29300?

Critical. See the advisory for the full CVSS vector.

Where can I read the official advisory?

See https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html

Does the patch require a reboot?

It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.

References

• Official Adobe security bulletin APSB23-40: https://helpx.adobe.com/security/products/coldfusion/apsb23-40.html
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-29300
• CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Related: CVE-2023-38203, CVE-2023-26359 (ColdFusion sibling deserialization CVEs)

*This guide was assembled from Adobe security bulletin APSB23-40, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against Adobe's bulletin before applying changes in production.*