CVE-2013-0632
published 2013-01-17CVE-2013-0632: administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
93.69%
99.8th percentile
administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative web interface, as exploited in the wild in January 2013.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /CFIDE/adminapi/administrator.cfc with parameters 'rdsPasswordAllowed=1' and an empty 'adminpassword' field — this is the core authentication bypass trigger for CVE-2013-0632. ↗
- →Monitor for the CFAUTHORIZATION_cfadmin cookie being set after a POST to /CFIDE/adminapi/administrator.cfc, then immediately reused in GET requests to /CFIDE/administrator/index.cfm — this cookie-carry-over pattern is the session hijack step of the exploit. ↗
- →Detect GET requests to /CFIDE/administrator/settings/mappings.cfm with parameter name=/CFIDE after a bypass login — attackers use this to disclose the server-side file path for payload upload. ↗
- →The MD5 hash 596b3fc4f1a0b818979db1cf94a82220 of /CFIDE/administrator/images/loginbackground.jpg is used by exploit tooling to fingerprint ColdFusion 9 targets; presence of this hash in exploit traffic indicates active reconnaissance. ↗
- →The login function never checks if RDS is enabled when rdsPasswordAllowed='true'. Monitor ColdFusion logs for RDS login attempts with a blank password, especially on systems where RDS was never configured. ↗
- ·The bypass only works when the RDS password is blank (default or misconfigured). Systems where RDS was properly configured with a non-empty password are not vulnerable via this specific vector. ↗
- ·ColdFusion 9.0, 9.0.1, and 9.0.2 are confirmed vulnerable; ColdFusion 10 is also listed as affected. The Metasploit fingerprinting check specifically targets ColdFusion 9 via the loginbackground.jpg MD5 hash. ↗
- ·The scheduler-based payload drop technique writes files to ../../wwwroot/CFIDE/ relative to the ColdFusion install path; the exact writable path is leaked via the mappings.cfm disclosure step and may vary by installation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8xf7-v5jv-237f: administrator
ghsa_unreviewed·2022-05-17
CVE-2013-0632 [HIGH] CWE-200 GHSA-8xf7-v5jv-237f: administrator
administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative web interface, as exploited in the wild in January 2013.
VulnCheck
Adobe ColdFusion Authentication Bypass Vulnerability
vulncheck·2013·CVSS 9.8
CVE-2013-0632 [CRITICAL] CWE-200 Adobe ColdFusion Authentication Bypass Vulnerability
Adobe ColdFusion Authentication Bypass Vulnerability
An authentication bypass vulnerability exists in Adobe ColdFusion which could result in an unauthorized user gaining administrative access.
Affected: Adobe ColdFusion
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2013-0632; https://www.adobe.com/support/security/advisories/apsa13-01.html; https://cisa.gov/news-events/alerts/2015/04/29/top-30-targeted-high-risk-vulnerabilities; https://www.us-cert.gov/ncas/alerts/TA15-119A; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://storage.ghost.io/c/af/a0/afa04ee3-414f-4481-8d23-7e7c146f192e/content/files/2026/03/2025YiR-report.pdf
Remediation Due: 2022-03-24
CISA
Adobe ColdFusion Authentication Bypass Vulnerability
cisa·2022-03-03·CVSS 9.8
CVE-2013-0632 [CRITICAL] CWE-200 Adobe ColdFusion Authentication Bypass Vulnerability
Vulnerability: Adobe ColdFusion Authentication Bypass Vulnerability
Affected: Adobe ColdFusion
An authentication bypass vulnerability exists in Adobe ColdFusion which could result in an unauthorized user gaining administrative access.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-0632
Remediation Due Date: 2022-03-24
No detection rules found.
Exploit-DB
Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit)
exploitdb·2013-12-11
CVE-2013-0632 Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit)
Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Adobe ColdFusion 9 Administrative Login Bypass',
'Description' => %q{
Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication using the RDS component. Its password can
by default or by misconfiguration be set to an empty value. This allows you to create a session via the RDS login that
can be carried over to the admin web interface even though the passwords might be different. Therefore bypassing
authentication on the admin web interface which then could lead to arbitrary code execution.
Tested on Windows
Exploit-DB
Adobe ColdFusion 9 - Administrative Authentication Bypass
exploitdb·2013-08-21·CVSS 9.8
CVE-2013-0632 [CRITICAL] Adobe ColdFusion 9 - Administrative Authentication Bypass
Adobe ColdFusion 9 - Administrative Authentication Bypass
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+------------------------------------------------------------------------------+
| Packet Storm Advisory 2013-0819-2 |
| http://packetstormsecurity.com/ |
+------------------------------------------------------------------------------+
| Title: Adobe ColdFusion 9 Administrative Login Bypass |
+--------------------+---------------------------------------------------------+
| Release Date | 2013/08/19 |
| Advisory Contact | Packet Storm ([email protected]) |
| Researcher | Scott Buckel |
+--------------------+---------------------------------------------------------+
| System Affected | ColdFusion |
| Versions Affected | 9.0, 9.0.1, 9.0.2 |
| Related Advisory | APSB
Exploit-DB
Adobe ColdFusion APSB13-03 - Remote Multiple Vulnerabilities (Metasploit)
exploitdb·2013-04-10·CVSS 9.8
CVE-2013-0632 [CRITICAL] Adobe ColdFusion APSB13-03 - Remote Multiple Vulnerabilities (Metasploit)
Adobe ColdFusion APSB13-03 - Remote Multiple Vulnerabilities (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'digest/sha1'
require 'openssl'
class Metasploit3 'Adobe ColdFusion APSB13-03',
'Description' => %q{
This module exploits a pile of vulnerabilities in Adobe ColdFusion APSB13-03:
* CVE-2013-0625: arbitrary command execution in scheduleedit.cfm (9.x only)
* CVE-2013-0629: directory traversal
* CVE-2013-0632: authentication bypass
},
'Author' =>
[
'Jon Hart MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-0625'],
[ 'CVE', '2013-0629'],
# we don't actually
Metasploit
Adobe ColdFusion RDS Authentication Bypass
metasploit
Adobe ColdFusion RDS Authentication Bypass
Adobe ColdFusion RDS Authentication Bypass
Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication using the RDS component. Due to default settings or misconfiguration, its password can be set to an empty value. This allows an attacker to create a session via the RDS login that can be carried over to the admin web interface even though the passwords might be different, and therefore bypassing authentication on the admin web interface leading to arbitrary code execution. Tested on Windows and Linux with ColdFusion 9.
Krebs
Data Broker Hackers Also Compromised NW3C
blogs_krebs·2013-10-01
Data Broker Hackers Also Compromised NW3C
The same miscreants responsible for breaking into the networks of America’s top consumer and business data brokers appear to have also infiltrated and stolen huge amounts of data from the National White Collar Crime Center (NW3C), a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.
The bot that was resident for almost 3 months inside of NW3C.
Last week, KrebsOnSecurity reported that entrepreneurs behind the underground criminal identity theft service ssndob[dot]ms also were responsible for operating a small but powerful collection of hacked computers exclusively at top data brokers, including LexisNexis, Dun & Bradstreet and HireRight/K
Krebs
Data Broker Hackers Also Compromised NW3C – Krebs on Security
blogs_krebs·2013-10-01
Data Broker Hackers Also Compromised NW3C – Krebs on Security
The same miscreants responsible for breaking into the networks of America’s top consumer and business data brokers appear to have also infiltrated and stolen huge amounts of data from the National White Collar Crime Center (NW3C), a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime.
The bot that was resident for almost 3 months inside of NW3C.
Last week, KrebsOnSecurity reported that entrepreneurs behind the underground criminal identity theft service ssndob[dot]ms also were responsible for operating a small but powerful collection of hacked computers exclusively at top data brokers, including LexisNexis , Dun & Bradstreet and HireRight/
http://www.adobe.com/support/security/advisories/apsa13-01.htmlhttp://www.adobe.com/support/security/bulletins/apsb13-03.htmlhttp://www.exploit-db.com/exploits/30210http://www.adobe.com/support/security/advisories/apsa13-01.htmlhttp://www.adobe.com/support/security/bulletins/apsb13-03.htmlhttp://www.exploit-db.com/exploits/30210https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0632
2013-01-17
Published
2022-03-03
Added to CISA KEV
Exploited in the wild