cbcvebase.
CVE-2013-0625
published 2013-01-09

CVE-2013-0625: Adobe ColdFusion 9.0, 9.0.1, and 9.0.2, when a password is not configured, allows remote attackers to bypass authentication and possibly execute arbitrary code…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-09-07
Exploited in the wild
EPSS
93.80%
99.8th percentile
Adobe ColdFusion 9.0, 9.0.1, and 9.0.2, when a password is not configured, allows remote attackers to bypass authentication and possibly execute arbitrary code via unspecified vectors, as exploited in the wild in January 2013.

Affected

3 ranges
VendorProductVersion rangeFixed in
adobecoldfusion
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

path/CFIDE/administrator/scheduler/scheduleedit.cfm
path/CFIDE/administrator/scheduler/scheduletasks.cfm
path/CFIDE/administrator/scheduler/scheduleedit.cfm
path/CFIDE/administrator/settings/memoryvariables.cfm
command?cmd=<cmd>&args=<args>
  • Monitor for unauthenticated POST requests to /CFIDE/administrator/scheduler/scheduleedit.cfm, which is the vector for CVE-2013-0625 arbitrary command execution on ColdFusion 9.x.
  • Detect HTTP requests to ColdFusion scheduler paths (/CFIDE/administrator/scheduler/scheduletasks.cfm and scheduleedit.cfm) that include a 'publish_file' parameter containing directory traversal sequences (e.g., '../../wwwroot/CFIDE/').
  • Alert on GET requests to /CFIDE/*.cfm containing both 'cmd=' and 'args=' query parameters, indicative of the exploit's remote execution mechanism.
  • Look for the CFAUTHORIZATION_ cookie being set or manipulated in responses, as the exploit harvests and replays these cookies for authentication bypass.
  • Flag exploitation attempts observed in the wild starting January 2013; prioritize patching and detection on internet-facing ColdFusion 9.0, 9.0.1, and 9.0.2 instances with no administrator password configured.
  • ·The authentication bypass (CVE-2013-0625) only applies when no administrator password is configured on ColdFusion 9.x. Instances with a password set are not directly vulnerable to this specific bypass vector.
  • ·The scheduleedit.cfm command execution vector (CVE-2013-0625) is limited to ColdFusion 9.x only; other versions use different exploit paths in this module.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.