CVE-2018-15957
published 2018-09-25CVE-2018-15957: Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
28.21%
97.9th percentile
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have a deserialization of untrusted data vulnerability. Successful exploitation could lead to arbitrary code execution.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/CFIDE/wizards/common/utils.cfc?method=verifyldapserver
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (GET) CVE-2018-15957"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/CFIDE/wizards/common/utils.cfc?"; startswith; fast_pattern; content:"method=verifyldapserver"; content:"vserver="; content:"vport="; content:"vstart="; content:"vusername="; content:"vpassword="; reference:md5,090605df233b6dba07db48639c7766e7; reference:cve,2018-15957; classtype:attempted-admin; sid:2036731; rev:1;)
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (POST) CVE-2018-15957"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/CFIDE/wizards/common/utils.cfc"; startswith; fast_pattern; http.request_body; content:"method=verifyldapserver"; content:"vserver="; content:"vport="; content:"vstart="; content:"vusername="; content:"vpassword="; reference:md5,090605df233b6dba07db48639c7766e7; reference:cve,2018-15957; classtype:attempted-admin; sid:2036732; rev:1;)
- →Exploit targets the LDAP verification endpoint via GET requests; look for URI starting with /CFIDE/wizards/common/utils.cfc? with parameters method=verifyldapserver, vserver=, vport=, vstart=, vusername=, vpassword= in the query string.
- →Exploit also delivered via POST requests to /CFIDE/wizards/common/utils.cfc with the same LDAP parameters in the request body; inspect HTTP POST body for method=verifyldapserver alongside vserver=, vport=, vstart=, vusername=, vpassword=.
- →The exploit has been observed in the wild in the context of EnemyBot IoT malware targeting CMS servers, indicating active exploitation in the wild.
- →A public exploit PoC is available on Exploit-DB (exploit ID 50781) and on GitHub (canvas framework); prioritize detection on perimeter and internal deployments.
- ·Snort/Suricata rules target $HTTP_SERVERS and $HOME_NET — ensure these variables are correctly scoped to include all ColdFusion server IPs to avoid missed detections.
- ·The GET rule uses 'startswith' on the URI content match for /CFIDE/wizards/common/utils.cfc? — this requires the URI to begin exactly with that path; proxies or URL rewriting that alter the path prefix may cause the rule to miss the exploit.
- ·Affected versions are specifically ColdFusion July 12 2018 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier — scope detection to hosts running these versions. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (GET) CVE-2018-15957
suricata·2022-05-31·CVSS 9.8
CVE-2018-15957 [CRITICAL] ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (GET) CVE-2018-15957
ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (GET) CVE-2018-15957
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (GET) CVE-2018-15957"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/CFIDE/wizards/common/utils.cfc?"; startswith; fast_pattern; content:"method=verifyldapserver"; content:"vserver="; content:"vport="; content:"vstart="; content:"vusername="; content:"vpassword="; reference:md5,090605df233b6dba07db48639c7766e7; reference:url,url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/exploits/50781; reference:url,github.com/berez23/ca
Suricata
ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (POST) CVE-2018-15957
suricata·2022-05-31·CVSS 9.8
CVE-2018-15957 [CRITICAL] ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (POST) CVE-2018-15957
ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (POST) CVE-2018-15957
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (POST) CVE-2018-15957"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/CFIDE/wizards/common/utils.cfc"; startswith; fast_pattern; http.request_body; content:"method=verifyldapserver"; content:"vserver="; content:"vport="; content:"vstart="; content:"vusername="; content:"vpassword="; reference:md5,090605df233b6dba07db48639c7766e7; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/exploits/50781; reference:url,gith
No public exploits indexed.
No writeups or analysis indexed.
2018-09-25
Published