cbcvebase.
CVE-2013-0629
published 2013-01-09

CVE-2013-0629: Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10, when a password is not configured, allows attackers to access restricted directories via unspecified vectors, as…

PriorityP184high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-09-07
Exploited in the wild
EPSS
65.90%
99.2th percentile
Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10, when a password is not configured, allows attackers to access restricted directories via unspecified vectors, as exploited in the wild in January 2013.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobecoldfusion
adobecoldfusion
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

path/CFIDE/administrator/scheduler/scheduletasks.cfm
path/CFIDE/administrator/scheduler/scheduleedit.cfm
path/CFIDE/administrator/settings/memoryvariables.cfm
path../../wwwroot/CFIDE/
url/CFIDE/<cfm>?cmd=<cmd>&args=<args>
  • Monitor for HTTP GET/POST requests to ColdFusion scheduler paths (/CFIDE/administrator/scheduler/scheduletasks.cfm and scheduleedit.cfm) from unauthenticated or anomalous sources, which indicates exploitation of the directory traversal to drop files via scheduled task abuse.
  • Detect use of directory traversal sequences (../../wwwroot/CFIDE/) in the 'publish_file' POST parameter to scheduleedit.cfm, which is the mechanism used to drop arbitrary files outside the web root.
  • Alert on HTTP requests to /CFIDE/*.cfm containing query parameters 'cmd' and 'args', which indicates execution of a dropped ColdFusion webshell payload.
  • Look for the CFAUTHORIZATION_ cookie being set or manipulated in responses/requests to ColdFusion admin paths, as the exploit harvests and replays these cookies for authentication bypass.
  • Detect scheduled task creation via POST to scheduleedit.cfm with 'publish=1' and a 'publish_file' value containing path traversal sequences, indicating an attempt to write attacker-controlled content to disk.
  • ·The vulnerability is only exploitable when ColdFusion is configured WITHOUT a password (no admin password set). Instances with a password configured are not affected by CVE-2013-0629 alone.
  • ·The Metasploit module chains CVE-2013-0629 (directory traversal) with CVE-2013-0632 (authentication bypass) and CVE-2013-0625 (RCE via scheduleedit.cfm, 9.x only). Detection and remediation should account for all three CVEs together.
  • ·The exploit uses RDS credentials by default (USERDS option defaults to true). Environments with RDS disabled may partially mitigate the authentication bypass component, but the directory traversal itself may still be reachable.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.