Adobe ColdFusion Access Control Bypass

name: Adobe ColdFusion Access Control Bypass
id: d6821c0b-fcdc-4c95-a77f-e10752fae41a
version: 10
creation_date: '2023-08-23'
modification_date: '2026-05-13'
author: Michael Haag, Splunk
status: production
type: Anomaly
description: |-
    The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360.
    It monitors requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, using the Web datamodel.
    This activity is significant for a SOC as it indicates attempts to bypass access controls, which can lead to unauthorized access to ColdFusion administration endpoints.
    If confirmed malicious, this could result in data theft, brute force attacks, or further exploitation of other vulnerabilities, posing a serious security risk to the environment.
data_source:
    - Suricata
search: |-
    | tstats `security_content_summariesonly`
      count min(_time) as firstTime
            max(_time) as lastTime

    FROM datamodel=Web WHERE

    Web.url IN (
        "*//CFIDE/adminapi*",
        "*//CFIDE/administrator*",
        "*//CFIDE/componentutils*",
        "*//CFIDE/main*",
        "*//CFIDE/restplay*",
        "*//CFIDE/servermanager*",
        "*//CFIDE/wizards*",
        "*//restplay*",
    )
    Web.status=200

    BY Web.http_user_agent Web.status Web.http_method
       Web.url Web.url_length Web.src Web.dest

    | `drop_dm_object_name("Web")`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `adobe_coldfusion_access_control_bypass_filter`
how_to_implement: This detection requires the Web datamodel to be populated from a supported Technology Add-On like Splunk for Apache, Splunk for Nginx, or Splunk for Palo Alto.
known_false_positives: |-
    This analytic is limited to HTTP Status 200.
    False positives may occur if the URI path is IP-restricted or externally blocked.
    It is recommended to review the context of the alerts and adjust the analytic parameters to better fit the specific environment.
references:
    - https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion-access-control-bypass/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: Possible exploitation of CVE-2023-29298 against $dest$ via $url$.
threat_objects:
    - field: src
      type: ip_address
analytic_story:
    - Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
asset_type: Network
cve:
    - CVE-2023-29298
mitre_attack_id:
    - T1190
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: web
security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/adobe/coldfusion_cve_2023_29298.log
          source: not_applicable
          sourcetype: suricata
      test_type: unit