cbcvebase.
CVE-2010-2861
published 2010-08-11

CVE-2010-2861: Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
99.72%
100.0th percentile
Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobecoldfusion<= 9.0.2
adobecoldfusion<= 9.0.1
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

path/CFIDE/administrator/enter.cfm
url/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en
path/CFIDE/administrator/settings/mappings.cfm
path/CFIDE/administrator/logging/settings.cfm
path/CFIDE/administrator/datasources/index.cfm
path/CFIDE/administrator/j2eepackaging/editarchive.cfm
path/CFIDE/wizards/common/_logintowizard.cfm
path/CFIDE/administrator/archives/index.cfm
path/cfide/install.cfm
filenamepassword.properties
cookieCFAUTHORIZATION_cfadmin
  • Detect LFI exploitation attempts by matching GET/POST requests to ColdFusion admin CFM endpoints with a 'locale' parameter containing directory traversal sequences and a null-byte (%00) followed by a file extension bypass.
  • Match HTTP 200 responses to ColdFusion admin pages whose body contains both 'rdspassword=' and 'encrypted=' strings, indicating successful password.properties file disclosure.
  • The Metasploit module iterates traversal depth by stripping leading '../' segments until a 40-character hex SHA-1 hash is found in the response body — monitor for repeated GET requests to enter.cfm with progressively shorter locale traversal strings from the same source IP.
  • After hash extraction, the exploit authenticates by POSTing an HMAC-SHA1 of the extracted hash to /CFIDE/administrator/ — detect POST requests to this endpoint with a 'cfadminPassword' parameter containing a 40-character uppercase hex string.
  • Shodan/FOFA queries used to identify exposed ColdFusion admin panels as pre-exploitation reconnaissance — monitor for scanning activity targeting these fingerprints.
  • Post-exploitation: Cring ransomware uses Windows CertUtil to download payloads — monitor for certutil.exe invocations downloading remote files following ColdFusion process activity.
  • Post-exploitation: Cobalt Strike Beacon (PS1 dropper SHA-256 a999e096...) is deployed after initial access via CVE-2010-2861 — correlate ColdFusion web server child process spawning PowerShell with encoded commands.
  • ·The null-byte truncation technique (%00) used in the locale parameter traversal may be filtered or ineffective on patched or modern JVM/OS configurations where null-byte injection in file paths is blocked.
  • ·The Metasploit module notes this traversal technique 'should work on version 8 and below', implying ColdFusion 9.x behaviour may differ and traversal depth/path must be adjusted manually via the TRAV option.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.