cbcvebase.
CVE-2013-0632
published 2013-01-17

CVE-2013-0632: administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
93.69%
99.8th percentile
administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative web interface, as exploited in the wild in January 2013.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobecoldfusion
adobecoldfusion
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

path/CFIDE/adminapi/administrator.cfc
path/CFIDE/administrator/index.cfm
path/CFIDE/administrator/scheduler/scheduleedit.cfm
path/CFIDE/administrator/scheduler/scheduletasks.cfm
path/CFIDE/administrator/settings/mappings.cfm
cookieCFAUTHORIZATION_cfadmin
hash596b3fc4f1a0b818979db1cf94a82220
commandmethod=login&adminpassword=&rdsPasswordAllowed=1
  • Detect POST requests to /CFIDE/adminapi/administrator.cfc with parameters 'rdsPasswordAllowed=1' and an empty 'adminpassword' field — this is the core authentication bypass trigger for CVE-2013-0632.
  • Monitor for the CFAUTHORIZATION_cfadmin cookie being set after a POST to /CFIDE/adminapi/administrator.cfc, then immediately reused in GET requests to /CFIDE/administrator/index.cfm — this cookie-carry-over pattern is the session hijack step of the exploit.
  • Detect GET requests to /CFIDE/administrator/settings/mappings.cfm with parameter name=/CFIDE after a bypass login — attackers use this to disclose the server-side file path for payload upload.
  • The MD5 hash 596b3fc4f1a0b818979db1cf94a82220 of /CFIDE/administrator/images/loginbackground.jpg is used by exploit tooling to fingerprint ColdFusion 9 targets; presence of this hash in exploit traffic indicates active reconnaissance.
  • The login function never checks if RDS is enabled when rdsPasswordAllowed='true'. Monitor ColdFusion logs for RDS login attempts with a blank password, especially on systems where RDS was never configured.
  • ·The bypass only works when the RDS password is blank (default or misconfigured). Systems where RDS was properly configured with a non-empty password are not vulnerable via this specific vector.
  • ·ColdFusion 9.0, 9.0.1, and 9.0.2 are confirmed vulnerable; ColdFusion 10 is also listed as affected. The Metasploit fingerprinting check specifically targets ColdFusion 9 via the loginbackground.jpg MD5 hash.
  • ·The scheduler-based payload drop technique writes files to ../../wwwroot/CFIDE/ relative to the ColdFusion install path; the exact writable path is leaked via the mappings.cfm disclosure step and may vary by installation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.