cbcvebase.
CVE-2018-15957
published 2018-09-25

CVE-2018-15957: Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
28.21%
97.9th percentile
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobecoldfusion
adobecoldfusion
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

path/CFIDE/wizards/common/utils.cfc
url/CFIDE/wizards/common/utils.cfc?method=verifyldapserver
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (GET) CVE-2018-15957"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/CFIDE/wizards/common/utils.cfc?"; startswith; fast_pattern; content:"method=verifyldapserver"; content:"vserver="; content:"vport="; content:"vstart="; content:"vusername="; content:"vpassword="; reference:md5,090605df233b6dba07db48639c7766e7; reference:cve,2018-15957; classtype:attempted-admin; sid:2036731; rev:1;)
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (POST) CVE-2018-15957"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/CFIDE/wizards/common/utils.cfc"; startswith; fast_pattern; http.request_body; content:"method=verifyldapserver"; content:"vserver="; content:"vport="; content:"vstart="; content:"vusername="; content:"vpassword="; reference:md5,090605df233b6dba07db48639c7766e7; reference:cve,2018-15957; classtype:attempted-admin; sid:2036732; rev:1;)
  • Exploit targets the LDAP verification endpoint via GET requests; look for URI starting with /CFIDE/wizards/common/utils.cfc? with parameters method=verifyldapserver, vserver=, vport=, vstart=, vusername=, vpassword= in the query string.
  • Exploit also delivered via POST requests to /CFIDE/wizards/common/utils.cfc with the same LDAP parameters in the request body; inspect HTTP POST body for method=verifyldapserver alongside vserver=, vport=, vstart=, vusername=, vpassword=.
  • The exploit has been observed in the wild in the context of EnemyBot IoT malware targeting CMS servers, indicating active exploitation in the wild.
  • A public exploit PoC is available on Exploit-DB (exploit ID 50781) and on GitHub (canvas framework); prioritize detection on perimeter and internal deployments.
  • ·Snort/Suricata rules target $HTTP_SERVERS and $HOME_NET — ensure these variables are correctly scoped to include all ColdFusion server IPs to avoid missed detections.
  • ·The GET rule uses 'startswith' on the URI content match for /CFIDE/wizards/common/utils.cfc? — this requires the URI to begin exactly with that path; proxies or URL rewriting that alter the path prefix may cause the rule to miss the exploit.
  • ·Affected versions are specifically ColdFusion July 12 2018 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier — scope detection to hosts running these versions.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.