cbcvebase.
CVE-2016-4264
published 2016-09-01

CVE-2016-4264: The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP…

PriorityP277high8.6CVSS 3.0
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
69.04%
99.3th percentile
The Office Open XML (OOXML) feature in Adobe ColdFusion 10 before Update 21 and 11 before Update 10 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via a crafted OOXML spreadsheet containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
adobecoldfusion<= 10.0
adobecoldfusion<= 11.0

Detection & IOCsextracted from sources · hover to see the quote

filenamecf_poc_spreadsheet.xlsx
filenamecf_poc_exploit.xlsx
filenamepassdata.xml
path[Content_Types].xml
pathc:/ColdFusion11/cfusion/lib/neo-security.xml
  • Detect inbound HTTP GET requests for 'passdata.xml' from a ColdFusion server to an external host — this indicates the XXE payload has been triggered and the server is fetching the attacker-controlled XML stage-2 payload.
  • Monitor ColdFusion servers for outbound FTP connections (especially to non-standard ports such as 9090) initiated after processing an XLSX upload — this is the data exfiltration channel used by the XXE exploit via FTP out-of-band technique.
  • Inspect uploaded XLSX/OOXML files for external entity declarations inside [Content_Types].xml — the exploit embeds the XXE payload directly in this ZIP entry.
  • Alert on ColdFusion processes reading sensitive configuration files such as neo-security.xml (which contains admin password hash/salt) following XLSX document processing.
  • Flag FTP sessions from ColdFusion servers where CWD or RETR commands carry file path data — the exploit exfiltrates file contents by encoding them as FTP CWD/RETR command arguments.
  • The exploit targets the #xlsdoc# ColdFusion tag/feature; monitor application logs for OOXML spreadsheet processing events correlated with subsequent outbound HTTP/FTP connections.
  • ·The exploit can target arbitrary file paths on the victim; the neo-security.xml example is illustrative — any file readable by the ColdFusion process is at risk.
  • ·The vulnerability affects ColdFusion 10 before Update 21 and ColdFusion 11 before Update 10; ColdFusion 2016 is not affected.
  • ·The exploit can be delivered via user-uploaded XLSX documents OR by having the application fetch the malicious document from a URL, broadening the attack surface beyond simple file upload endpoints.

CVSS provenance

nvdv3.08.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.