CVE-2010-2861
published 2010-08-11CVE-2010-2861: Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
99.72%
100.0th percentile
Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | coldfusion | <= 9.0.2 | — |
| adobe | coldfusion | <= 9.0.1 | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en
path/CFIDE/administrator/settings/mappings.cfm
path/CFIDE/administrator/logging/settings.cfm
path/CFIDE/administrator/datasources/index.cfm
path/CFIDE/administrator/j2eepackaging/editarchive.cfm
- →Detect LFI exploitation attempts by matching GET/POST requests to ColdFusion admin CFM endpoints with a 'locale' parameter containing directory traversal sequences and a null-byte (%00) followed by a file extension bypass.
- →Match HTTP 200 responses to ColdFusion admin pages whose body contains both 'rdspassword=' and 'encrypted=' strings, indicating successful password.properties file disclosure.
- →The Metasploit module iterates traversal depth by stripping leading '../' segments until a 40-character hex SHA-1 hash is found in the response body — monitor for repeated GET requests to enter.cfm with progressively shorter locale traversal strings from the same source IP. ↗
- →After hash extraction, the exploit authenticates by POSTing an HMAC-SHA1 of the extracted hash to /CFIDE/administrator/ — detect POST requests to this endpoint with a 'cfadminPassword' parameter containing a 40-character uppercase hex string. ↗
- →Shodan/FOFA queries used to identify exposed ColdFusion admin panels as pre-exploitation reconnaissance — monitor for scanning activity targeting these fingerprints.
- →Post-exploitation: Cring ransomware uses Windows CertUtil to download payloads — monitor for certutil.exe invocations downloading remote files following ColdFusion process activity. ↗
- →Post-exploitation: Cobalt Strike Beacon (PS1 dropper SHA-256 a999e096...) is deployed after initial access via CVE-2010-2861 — correlate ColdFusion web server child process spawning PowerShell with encoded commands. ↗
- ·The null-byte truncation technique (%00) used in the locale parameter traversal may be filtered or ineffective on patched or modern JVM/OS configurations where null-byte injection in file paths is blocked. ↗
- ·The Metasploit module notes this traversal technique 'should work on version 8 and below', implying ColdFusion 9.x behaviour may differ and traversal depth/path must be adjusted manually via the TRAV option. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Adobe ColdFusion Directory Traversal Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2010-2861 [CRITICAL] CWE-22 Adobe ColdFusion Directory Traversal Vulnerability
Vulnerability: Adobe ColdFusion Directory Traversal Vulnerability
Affected: Adobe ColdFusion
A directory traversal vulnerability exists in the administrator console in Adobe ColdFusion which allows remote attackers to read arbitrary files.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2010-2861
Remediation Due Date: 2022-04-15
GHSA
GHSA-755h-qpqx-6774: The authentication process in Adobe ColdFusion before 10 does not require knowledge of the cleartext password if the password hash is known, which mak
ghsa_unreviewed·2022-05-17·CVSS 9.8
CVE-2010-5290 [CRITICAL] GHSA-755h-qpqx-6774: The authentication process in Adobe ColdFusion before 10 does not require knowledge of the cleartext password if the password hash is known, which mak
The authentication process in Adobe ColdFusion before 10 does not require knowledge of the cleartext password if the password hash is known, which makes it easier for context-dependent attackers to obtain administrative privileges by leveraging read access to the configuration file, a different vulnerability than CVE-2010-2861.
GHSA
GHSA-x38c-xq6c-937h: Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9
ghsa_unreviewed·2022-05-17
CVE-2010-2861 [HIGH] CWE-22 GHSA-x38c-xq6c-937h: Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9
Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.
VulnCheck
Adobe ColdFusion Directory Traversal Vulnerability
vulncheck·2010·CVSS 9.8
CVE-2010-2861 [CRITICAL] CWE-22 Adobe ColdFusion Directory Traversal Vulnerability
Adobe ColdFusion Directory Traversal Vulnerability
A directory traversal vulnerability exists in the administrator console in Adobe ColdFusion which allows remote attackers to read arbitrary files.
Affected: Adobe ColdFusion
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/; https://cybersecurityworks.com/howdymanage/uploads/file/csw_final_ransomware_index-update-q321-csw_.pdf; https://cybersecurityworks.com/howdymanage/uploads/file/ransomware-_-2022-spotlight-report_compressed.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.greynoise.io/blog/battling-ransomware-one-
Suricata
ET WEB_SERVER WEBSHELL CFM Shell Access
suricata·2014-03-18
CVE-2010-2861 ET WEB_SERVER WEBSHELL CFM Shell Access
ET WEB_SERVER WEBSHELL CFM Shell Access
Rule: alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WEBSHELL CFM Shell Access"; flow:established,to_client; file.data; content:"CFM shell"; nocase; reference:url,blog.spiderlabs.com/2014/03/coldfusion-admin-compromise-analysis-cve-2010-2861.html; classtype:successful-admin; sid:2018290; rev:3; metadata:created_at 2014_03_18, signature_severity Major, updated_at 2024_03_13;)
Suricata
ET WEB_SERVER ColdFusion Path Traversal (locale 2/5)
suricata·2010-09-28·CVSS 9.8
CVE-2010-2861 [CRITICAL] ET WEB_SERVER ColdFusion Path Traversal (locale 2/5)
ET WEB_SERVER ColdFusion Path Traversal (locale 2/5)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 2/5)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/CFIDE/administrator/archives/index.cfm"; fast_pattern; nocase; http.uri.raw; url_decode; content:"locale=../../"; nocase; reference:url,www.exploit-db.com/exploits/14641/; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; classtype:web-application-attack; sid:2011359; rev:9; metadata:created_at 2010_09_28, deployment Perimeter, deployment Internal, confiden
Suricata
ET WEB_SERVER ColdFusion Path Traversal (locale 1/5)
suricata·2010-09-28·CVSS 9.8
CVE-2010-2861 [CRITICAL] ET WEB_SERVER ColdFusion Path Traversal (locale 1/5)
ET WEB_SERVER ColdFusion Path Traversal (locale 1/5)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 1/5)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/CFIDE/wizards/common/_logintowizard.cfm"; fast_pattern; http.uri.raw; url_decode; content:"locale=../../"; nocase; reference:url,www.exploit-db.com/exploits/14641/; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,CVE-2010-2861; classtype:web-application-attack; sid:2011358; rev:8; metadata:created_at 2010_09_28, deployment Perimeter, deployment Internal, confide
Suricata
ET WEB_SERVER ColdFusion Path Traversal (locale 5/5)
suricata·2010-09-28
CVE-2010-2861 ET WEB_SERVER ColdFusion Path Traversal (locale 5/5)
ET WEB_SERVER ColdFusion Path Traversal (locale 5/5)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 5/5)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/CFIDE/administrator/enter.cfm"; fast_pattern; nocase; http.uri.raw; url_decode; content:"locale=../../"; nocase; reference:url,www.exploit-db.com/exploits/14641/; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,2010-2861; classtype:web-application-attack; sid:2011362; rev:9; metadata:created_at 2010_09_28, cve CVE_2010_2861, deployment Perimeter, deployment Internal, co
Suricata
ET WEB_SERVER ColdFusion Path Traversal (locale 3/5)
suricata·2010-09-28
CVE-2010-2861 ET WEB_SERVER ColdFusion Path Traversal (locale 3/5)
ET WEB_SERVER ColdFusion Path Traversal (locale 3/5)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER ColdFusion Path Traversal (locale 3/5)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/CFIDE/administrator/entman/index.cfm"; fast_pattern; nocase; http.uri.raw; url_decode; content:"locale=../../"; nocase; reference:url,www.exploit-db.com/exploits/14641/; reference:url,h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964; reference:url,www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/; reference:cve,2010-2861; classtype:web-application-attack; sid:2011360; rev:10; metadata:created_at 2010_09_28, cve CVE_2010_2861, deployment Perimeter, deployment Inte
Exploit-DB
Adobe ColdFusion - Directory Traversal (Metasploit)
exploitdb·2011-03-16
CVE-2010-2861 Adobe ColdFusion - Directory Traversal (Metasploit)
Adobe ColdFusion - Directory Traversal (Metasploit)
---
##
# $Id: coldfusion_traversal.rb 11974 2011-03-16 01:38:16Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Adobe ColdFusion - Directory Traversal',
'Description' => %q{
This module exploits a directory traversal bug in Adobe ColdFusion.
By reading the password.properties a user can login using the encrypted
password itself. This should work on version 8 and below.
},
'License' => MSF_LICENSE,
'Author' => [ 'webDEViL' ],
'Version' => '$Revision: 11974 $',
'References' =>
[
[ 'CVE
Exploit-DB
Adobe ColdFusion - Directory Traversal
exploitdb·2010-08-14·CVSS 9.8
CVE-2010-2861 [CRITICAL] Adobe ColdFusion - Directory Traversal
Adobe ColdFusion - Directory Traversal
---
# Working GET request courtesy of carnal0wnage:
# http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
#
# LLsecurity added another admin page filename: "/CFIDE/administrator/enter.cfm"
#!/usr/bin/python
# CVE-2010-2861 - Adobe ColdFusion Unspecified Directory Traversal Vulnerability
# detailed information about the exploitation of this vulnerability:
# http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
# leo 13.08.2010
import sys
import socket
import re
# in case some directories are blocked
filenames = ("/CFIDE/wizards/common/_logintowizard.cfm", "/CFIDE/administrator/archives/index.cfm", "/cfide/install.cfm", "/CFIDE/administrator/entman/i
Nuclei
Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI
nuclei·CVSS 9.8
CVE-2010-2861 [CRITICAL] Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI
Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI
Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.
Template:
id: CVE-2010-2861
info:
name: Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI
author: pikpikcu
severity: high
description: Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3)
Metasploit
ColdFusion Server Check
metasploit
ColdFusion Server Check
ColdFusion Server Check
This module attempts to exploit the directory traversal in the 'locale' attribute. According to the advisory the following versions are vulnerable: ColdFusion MX6 6.1 base patches, ColdFusion MX7 7,0,0,91690 base patches, ColdFusion MX8 8,0,1,195765 base patches, ColdFusion MX8 8,0,1,195765 with Hotfix4. Adobe released patches for ColdFusion 8.0, 8.0.1, and 9 but ColdFusion 9 is reported to have directory traversal protections in place, subsequently this module does NOT work against ColdFusion 9. Adobe did not release patches for ColdFusion 6.1 or ColdFusion 7. It is not recommended to set FILE when doing scans across a group of servers where the OS may vary; otherwise, the file requested may not make sense for the OS
Tenable
Cybersecurity Snapshot: Ghost Ransomware Group Targets Known Vulns, CISA Warns, While Report Finds Many Cyber Pros Want To Switch Jobs
blogs_tenable·2025-02-21
Cybersecurity Snapshot: Ghost Ransomware Group Targets Known Vulns, CISA Warns, While Report Finds Many Cyber Pros Want To Switch Jobs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
CISA and FBI: Ghost ransomware breached orgs in 70 countries
blogs_bleepingcomputer·2025-02-19·CVSS 6.5
[MEDIUM] CISA and FBI: Ghost ransomware breached orgs in 70 countries
## CISA and FBI: Ghost ransomware breached orgs in 70 countries
## Sergiu Gatlan
CISA and the FBI said attackers deploying Ghost ransomware have breached victims from multiple industry sectors across over 70 countries, including critical infrastructure organizations.
Other industries impacted include healthcare, government, education, technology, manufacturing, and numerous small and medium-sized businesses.
"Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware," CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) said in a joint advisory released on Wednesday.
"This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizatio
Trendmicro
Examining the Cring Ransomware Techniques
blogs_trendmicro·2021-09-24·CVSS 9.8
[CRITICAL] Examining the Cring Ransomware Techniques
## Examining the Cring Ransomware Techniques
In this entry, we look at the techniques typically employed by the Cring ransomware, as well as the most affected regions and industries.
By: Warren Sto.Tomas 2021/09/24 Read time: ( words)
Save to Folio
The Cring ransomware made headlines as the threat was used in an attack that exploited a bug in the 11-year-old version of the Adobe ColdFusion 9 software.
This has been the first recorded incident involving Cring operators’ use of the said vulnerability. Past Cring attacks either abused unsecure remote desktop protocol (RDP) or virtual private network (VPN) vulnerabilities to gain initial access.
Ransom.Win32.CRING.C is our detection name for the executable, while Ransom.MSIL.CRYNG.A is the detection name that is used to detect C#-based s
Trendmicro
Examining the Cring Ransomware Techniques
blogs_trendmicro·2021-09-24·CVSS 9.8
[CRITICAL] Examining the Cring Ransomware Techniques
## Examining the Cring Ransomware Techniques
In this entry, we look at the techniques typically employed by the Cring ransomware, as well as the most affected regions and industries.
By: Warren Sto.Tomas Sep 24, 2021 Read time: ( words)
Save to Folio
The Cring ransomware made headlines as the threat was used in an attack that exploited a bug in the 11-year-old version of the Adobe ColdFusion 9 software.
This has been the first recorded incident involving Cring operators’ use of the said vulnerability. Past Cring attacks either abused unsecure remote desktop protocol (RDP) or virtual private network (VPN) vulnerabilities to gain initial access.
Ransom.Win32.CRING.C is our detection name for the executable, while Ransom.MSIL.CRYNG.A is the detection name that is used to detect C#-based
Trendmicro
Examining the Cring Ransomware Techniques
blogs_trendmicro·2021-09-24·CVSS 9.8
[CRITICAL] Examining the Cring Ransomware Techniques
# Examining the Cring Ransomware Techniques
In this entry, we look at the techniques typically employed by the Cring ransomware, as well as the most affected regions and industries.
By: Warren Sto.Tomas
2021/09/24
Read time: ( words)
Save to Folio
The Cring ransomware made headlines as the threat was used in an attack that exploited a bug in the 11-year-old version of the Adobe ColdFusion 9 software.
This has been the first recorded incident involving Cring operators’ use of the said vulnerability. Past Cring attacks either abused unsecure remote desktop protocol (RDP) or virtual private network (VPN) vulnerabilities to gain initial access.
Ransom.Win32.CRING.C is our detection name for the executable, while Ransom.MSIL.CRYNG.A is the detection name that is used to detect C#-based s
http://securityreason.com/securityalert/8137http://securityreason.com/securityalert/8148http://www.adobe.com/support/security/bulletins/apsb10-18.htmlhttp://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07http://securityreason.com/securityalert/8137http://securityreason.com/securityalert/8148http://www.adobe.com/support/security/bulletins/apsb10-18.htmlhttp://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-2861
2010-08-11
Published
2022-03-25
Added to CISA KEV
Exploited in the wild