⚠ Actively exploited
Added to CISA KEV on 2022-03-03. Federal agencies required to patch by 2022-03-24. Required action: Apply updates per vendor instructions..

CVE-2013-0632Incorrect Default Permissions in Adobe Coldfusion

CWE-276Incorrect Default PermissionsCWE-200Sensitive Information Exposure8 documents6 sources
Severity
9.8CRITICALNVD
EPSS
92.7%
top 0.25%
CISA KEV
KEV
Added 2022-03-03
Due 2022-03-24
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Adobe Coldfusion
Timeline
PublishedJan 17
KEV addedMar 3
KEV dueMar 24
Latest updateMay 17
CISA Required Action: Apply updates per vendor instructions.

Description

administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative web interface, as exploited in the wild in January 2013.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDadobe/coldfusion4 versions+3

🔴Vulnerability Details

3
GHSA
GHSA-8xf7-v5jv-237f: administrator2022-05-17
CVEList
CVE-2013-0632: administrator2013-01-17
VulnCheck
Adobe ColdFusion Authentication Bypass Vulnerability2013

💥Exploits & PoCs

3
Exploit-DB
Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit)2013-12-11
Exploit-DB
Adobe ColdFusion 9 - Administrative Authentication Bypass2013-08-21
Exploit-DB
Adobe ColdFusion APSB13-03 - Remote Multiple Vulnerabilities (Metasploit)2013-04-10

📋Vendor Advisories

1
CISA
Adobe ColdFusion Authentication Bypass Vulnerability2022-03-03
CVE-2013-0632 — Incorrect Default Permissions in Adobe | cvebase