May 8, 2013

Posted in:

0-Day Exploit for ColdFusion

Today, it was discovered that there is a new 0-day exploit for ColdFusion. When viewing the exploit code, it was determined that this exploit potentially affects all versions of ColdFusion. The good news is that if you’ve followed our recommendations to lock down ColdFusion administrator, adminapi, and componentutils directories via IP address restrictions, your server is presumed safe from this exploit. All servers with ColdFusion were locked down in previous months based on Adobe’s recommendations: CF9 Lockdown Guide | CF10 Lockdown Guide

What the exploit attempts to do is determine the version of ColdFusion running on the server and then attempts to get the Coldfusion Administrator password. If successful, the attacker has free reign over the server and can install malicious shell scripts, malicious executables, and view any data stored on the server, including anything stored in databases.

Currently, the only way to prevent the exploit is to lock down ColdFusion with the recommendations Edge outlined in the prior months and by viewing Adobe’s recommendations linked above. As always, be sure to keep up-to-date with any ColdFusion releases for your server(s) and apply them.

Go back