A recently patched remote code execution vulnerability affecting the Adobe ColdFusion web application development platform has been exploited in the wild by one or more threat groups, Volexity warned on Thursday.
The security hole in question is tracked as CVE-2018-15961 and it was resolved by Adobe in September with its Patch Tuesday updates. The vendor described the vulnerability as a critical unrestricted file upload bug that allows arbitrary code execution. This was one of the five flaws reported to Adobe by Pete Freitag of Foundeo.
The updates were initially assigned a priority rating of “2,” which indicates that exploitation is less likely. However, Adobe silently updated its advisory in late September after learning that CVE-2018-15961 had been actively exploited and assigned a priority rating of “1” for the ColdFusion 2018 and ColdFusion 2016 updates.
According to Volexity, which specializes in incident response, forensics and threat intelligence, there is no public exploit for the targeted ColdFusion vulnerability. The company says it has spotted what it believes to be a China-based APT group exploiting the flaw to upload an old webshell known as China Chopper to a vulnerable server.
The compromised web server had all ColdFusion updates installed, except for the one patching CVE-2018-15961. The attack took place roughly two weeks after Adobe released the fixes, the security firm said.
Volexity’s analysis showed that the vulnerability was introduced when Adobe decided to replace the older FCKeditor WYSIWYG editor with the newer CKEditor. The security bug is said to be similar to a ColdFusion flaw patched back in 2009.
Exploitation of the vulnerability is not difficult, Volexity noted, as it only requires sending a specially crafted HTTP POST request to the upload.cfm file, which does not require any authentication and is unrestricted.
While CKEditor prevented users from uploading certain types of potentially dangerous files, such as .exe and .php, it still allowed .jsp (JavaServer Pages) files, which can be executed in ColdFusion.
The APT group observed by Volexity exploited this weakness, along with a bug that allowed them to change the destination directory, to upload the webshell.
After spotting this attack, the company’s researchers started analyzing publicly accessible ColdFusion servers and found many systems that appeared to have been compromised, including ones belonging to government, educational, healthcare, and humanitarian aid organizations. Many of the hacked sites had been defaced or showed attempts to upload a webshell.
While the researchers could not confirm that all attacks exploited CVE-2018-15961, there is some indication that a non-APT threat group may have discovered the flaw months before Adobe released a patch in September, as some of the attackers’ files had been last modified in early June.
Some of the targeted websites included defaced index files that attributed the attack to AnoaGhost, a hacktivist group said to be based in Indonesia and which appears to have ties to pro-ISIS hacker gangs.