Connect with us

Hi, what are you looking for?



Adobe ColdFusion Vulnerability Exploited in the Wild

A recently patched remote code execution vulnerability affecting the Adobe ColdFusion web application development platform has been exploited in the wild by one or more threat groups, Volexity warned on Thursday.

A recently patched remote code execution vulnerability affecting the Adobe ColdFusion web application development platform has been exploited in the wild by one or more threat groups, Volexity warned on Thursday.

The security hole in question is tracked as CVE-2018-15961 and it was resolved by Adobe in September with its Patch Tuesday updates. The vendor described the vulnerability as a critical unrestricted file upload bug that allows arbitrary code execution. This was one of the five flaws reported to Adobe by Pete Freitag of Foundeo.

The updates were initially assigned a priority rating of “2,” which indicates that exploitation is less likely. However, Adobe silently updated its advisory in late September after learning that CVE-2018-15961 had been actively exploited and assigned a priority rating of “1” for the ColdFusion 2018 and ColdFusion 2016 updates.

According to Volexity, which specializes in incident response, forensics and threat intelligence, there is no public exploit for the targeted ColdFusion vulnerability. The company says it has spotted what it believes to be a China-based APT group exploiting the flaw to upload an old webshell known as China Chopper to a vulnerable server.

The compromised web server had all ColdFusion updates installed, except for the one patching CVE-2018-15961. The attack took place roughly two weeks after Adobe released the fixes, the security firm said.

Volexity’s analysis showed that the vulnerability was introduced when Adobe decided to replace the older FCKeditor WYSIWYG editor with the newer CKEditor. The security bug is said to be similar to a ColdFusion flaw patched back in 2009.

Exploitation of the vulnerability is not difficult, Volexity noted, as it only requires sending a specially crafted HTTP POST request to the upload.cfm file, which does not require any authentication and is unrestricted.

Advertisement. Scroll to continue reading.

While CKEditor prevented users from uploading certain types of potentially dangerous files, such as .exe and .php, it still allowed .jsp (JavaServer Pages) files, which can be executed in ColdFusion.

The APT group observed by Volexity exploited this weakness, along with a bug that allowed them to change the destination directory, to upload the webshell.

After spotting this attack, the company’s researchers started analyzing publicly accessible ColdFusion servers and found many systems that appeared to have been compromised, including ones belonging to government, educational, healthcare, and humanitarian aid organizations. Many of the hacked sites had been defaced or showed attempts to upload a webshell.

While the researchers could not confirm that all attacks exploited CVE-2018-15961, there is some indication that a non-APT threat group may have discovered the flaw months before Adobe released a patch in September, as some of the attackers’ files had been last modified in early June.

Some of the targeted websites included defaced index files that attributed the attack to AnoaGhost, a hacktivist group said to be based in Indonesia and which appears to have ties to pro-ISIS hacker gangs.

Related: Adobe Patches Flash Zero-Day Exploited in Targeted Attacks

Related: Adobe Patches Flash Zero-Day Exploited by North Korean Hackers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.