CVE-2018-15961
published 2018-09-25CVE-2018-15961: Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.95%
100.0th percentile
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit arrives as an unauthenticated HTTP POST to /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm with query parameter action=upload; no authentication is required. ↗
- →Attackers upload a JSP webshell (China Chopper JSP variant) via the CKEditor filemanager plugin; look for newly created .jsp files under /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/. ↗
- →Defaced sites contain a characteristic hacktivist message string; presence of this string in web-accessible files under /cf_scripts/ indicates compromise. ↗
- →Restrict access to /CFIDE/administrator to approved IP addresses only to limit post-exploitation administrative access. ↗
- →The Nuclei template for this CVE uses the MD5 word matcher 'ddbb3e76f92e78c445c8ecb392beb225' in the HTTP response from the uploaded JSP to confirm successful exploitation. ↗
- ·The CKEditor filemanager settings.cfm configuration file controls which file extensions are blocked for upload; the default configuration prior to the patch did NOT include .jsp in the block list, enabling JSP webshell uploads. After patching, .jsp is added to the disallowed list. ↗
- ·Even with a corrected extension block list, the 'path' form variable directory traversal issue allowed placement of files outside the intended upload directory; both issues were addressed in the Adobe update. ↗
- ·The vulnerability is rooted in the CKEditor filemanager plugin introduced when Adobe replaced FCKeditor with CKEditor; the upload endpoint is unauthenticated by default. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Adobe ColdFusion Unrestricted File Upload Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2018-15961 [CRITICAL] CWE-434 Adobe ColdFusion Unrestricted File Upload Vulnerability
Vulnerability: Adobe ColdFusion Unrestricted File Upload Vulnerability
Affected: Adobe ColdFusion
Adobe ColdFusion contains an unrestricted file upload vulnerability that could allow for code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2018-15961
Remediation Due Date: 2022-05-03
GHSA
GHSA-4gvr-xfhg-jc8f: Adobe ColdFusion versions July 12 release (2018
ghsa_unreviewed·2022-05-13
CVE-2018-15961 [CRITICAL] CWE-434 GHSA-4gvr-xfhg-jc8f: Adobe ColdFusion versions July 12 release (2018
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
VulnCheck
Adobe ColdFusion Unrestricted File Upload Vulnerability
vulncheck·2018·CVSS 9.8
CVE-2018-15961 [CRITICAL] CWE-434 Adobe ColdFusion Unrestricted File Upload Vulnerability
Adobe ColdFusion Unrestricted File Upload Vulnerability
Adobe ColdFusion contains an unrestricted file upload vulnerability that could allow for code execution.
Affected: Adobe ColdFusion
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2018-15961; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-22&host_type=src&vulnerability=cve-2018-15961; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-26&host_type=src&vulnerability=cve-2018-15961; https://dashboard.shadowserver.org/statisti
Suricata
ET WEB_CLIENT [Volex] Possible ColdFusion Unauthenticated Upload Attempt (CVE-2018-15961)
suricata·2018-11-13·CVSS 9.8
CVE-2018-15961 [CRITICAL] ET WEB_CLIENT [Volex] Possible ColdFusion Unauthenticated Upload Attempt (CVE-2018-15961)
ET WEB_CLIENT [Volex] Possible ColdFusion Unauthenticated Upload Attempt (CVE-2018-15961)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_CLIENT [Volex] Possible ColdFusion Unauthenticated Upload Attempt (CVE-2018-15961)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.cfm?action=upload"; nocase; fast_pattern; endswith; reference:cve,2018-15961; reference:url,volexity.com/blog/2018/11/08/active-exploitation-of-newly-patched-coldfusion-vulnerability-cve-2018-15961/; classtype:attempted-user; sid:2026604; rev:4; metadata:affected_product Adobe_Coldfusion, attack_target Web_Server, created_at 2018_11_13, cve CVE_2018_15961, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CVE_2018_15961, t
Exploit-DB
Adobe ColdFusion 2018 - Arbitrary File Upload
exploitdb·2018-12-11·CVSS 9.8
CVE-2018-15961 [CRITICAL] Adobe ColdFusion 2018 - Arbitrary File Upload
Adobe ColdFusion 2018 - Arbitrary File Upload
---
# Exploit Title: Unrestricted file upload in Adobe ColdFusion 2018
# Google Dork: ext:cfm
# Date: 10-12-2018
# Exploit Author: Pete Freitag of Foundeo
# Reversed: Vahagn vah_13 Vardanian
# Vendor Homepage: adobe.com
# Version: 2018
# Tested on: Adobe ColdFusion 2018
# CVE : CVE-2018-15961
# Comment: September 28, 2018: Updates for ColdFusion 2018 and ColdFusion
2016 have been elevated to Priority 1 due to a report that CVE-2018-15961
is now being actively exploited.
```
POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm
HTTP/1.1
Host: coldfusion:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/62.0.3202.9 Safari/537.36
Content-Type: multipart/form-data;
boundary=-----
Metasploit
Adobe ColdFusion CKEditor unrestricted file upload
metasploit
Adobe ColdFusion CKEditor unrestricted file upload
Adobe ColdFusion CKEditor unrestricted file upload
A file upload vulnerability in the CKEditor of Adobe ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release) allows unauthenticated remote attackers to upload and execute JSP files through the filemanager plugin. Tested on Adobe ColdFusion 2018.0.0.310739.
Nuclei
Adobe ColdFusion - Unrestricted File Upload Remote Code Execution
nuclei·CVSS 9.8
CVE-2018-15961 [CRITICAL] Adobe ColdFusion - Unrestricted File Upload Remote Code Execution
Adobe ColdFusion - Unrestricted File Upload Remote Code Execution
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
Template:
id: CVE-2018-15961
info:
name: Adobe ColdFusion - Unrestricted File Upload Remote Code Execution
author: SkyLark-Lab,ImNightmaree
severity: critical
description: Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
impact: |
Successful exploitation of this vulnerability can result in remote code execution, allowing an attacker to
Greynoiseio
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
blogs_greynoiseio·2025-05-27
Coordinated Cloud-Based Scanning Operation Targets 75 Known Exposure Points in One Day
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Unit42
Threat Brief: FireEye Red Team Tool Breach
blogs_unit42·2020-12-11
Threat Brief: FireEye Red Team Tool Breach
Threat Research Center
High Profile Threats
Vulnerabilities
## Threat Brief: FireEye Red Team Tool Breach
Unit 42
Published: December 10, 2020
High Profile Threats
Malware
Vulnerabilities
FireEye breach
## Executive Summary
On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data exfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security consultations. FireEye’s blog provided a wealth of information for defenders to implement security controls
Unit42
Threat Brief: FireEye Red Team Tool Breach
blogs_unit42·2020-12-11
Threat Brief: FireEye Red Team Tool Breach
## Executive Summary
On Dec. 8, 2020, one of the leading cybersecurity companies in the industry, FireEye, reported a breach and data exfiltration unlike any that we have seen previously. What makes this attack unique is not only the target, FireEye being a well-known cybersecurity company, but that the stolen data contains the internal, custom-crafted red-team and penetration testing tools used by the company to imitate different threat actors during customer security consultations. FireEye’s blog provided a wealth of information for defenders to implement security controls and mitigations for defense against the stolen tools. This data is being used by Palo Alto Networks to help ensure our customers are protected if the attackers choose to utilize the tools for malicious purposes.
It i
Fortinet
FireEye Red Team Tool Breach | Fortinet
blogs_fortinet·2020-12-11·CVSS 8.8
[HIGH] FireEye Red Team Tool Breach | Fortinet
PSIRT BLOGS
FireEye Red Team Tool Breach
By Carl Windsor | December 11, 2020
Executive Summary
On December 8th cyber security vendor FireEye reported a breach of their network and data exfiltration which included their internally developed Red Team tools. FireEye took the step of publishing details of these tools in a GitHub repository to allow other vendors to protect against their use by potential adversaries.
This breach has been attributed to a nation state threat actor so we do not expect to see these tools be widely abused in the wild, however with the additional information provided by FireEye, Fortinet have been able to ensure that these tools cannot be abused.
Threat Mitigation
None of the vulnerabilities disclosed as targeted in the tools were zero days, therefore FortiGuard
Qualys
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach
blogs_qualys·2020-12-10
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach
Update Jan 5, 2021 : New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.
Update Dec 23, 2020 : Added a new section on compensating controls.
Update Dec 22, 2020: FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.
Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):
Active Attacks
Solorigate Sunburst ( New RTI )
Original post : On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the securit
Qualys
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach | Qualys
blogs_qualys·2020-12-10
Solorigate/Sunburst : Theft of Cybersecurity Tools | FireEye Breach | Qualys
Update Jan 5, 2021: New patching section with two new dashboard widgets showing the number of missing FireEye-related patches in your environment and the number of assets in your environment missing one of those patches.
Update Dec 23, 2020: Added a new section on compensating controls.
Update Dec 22, 2020: FireEye disclosed the theft of their Red Team assessment tools. Hackers now have an influential collection of new techniques to draw upon.
Using Qualys VMDR, the vulnerabilities for Solorigate/SUNBURST can be prioritized for the following Real-Time Threat Indicators (RTIs):
- Active Attacks
- Solorigate Sunburst (New RTI)
Original post: On December 8, 2020, FireEye disclosed theft of their Red Team assessment tools. These tools are used by FireEye to test and validate the security
Zscaler
SolarWinds CyberAttack and FireEye Red Team Tools Coverage
blogs_zscaler·2020-12-09
SolarWinds CyberAttack and FireEye Red Team Tools Coverage
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Tenable
APT Malware Activity Detected Exploiting a Patched ColdFusion Vulnerability (CVE-2018-15961)
blogs_tenable·2018-11-08·CVSS 9.8
[CRITICAL] APT Malware Activity Detected Exploiting a Patched ColdFusion Vulnerability (CVE-2018-15961)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
APT Malware Activity Detected Exploiting a Patched ColdFusion Vulnerability (CVE-2018-15961)
blogs_tenable·2018-11-08·CVSS 9.8
CVE-2018-15961 [CRITICAL] APT Malware Activity Detected Exploiting a Patched ColdFusion Vulnerability (CVE-2018-15961)
Blog / Cyber Exposure Alerts
Subscribe
# APT Malware Activity Detected Exploiting a Patched ColdFusion Vulnerability (CVE-2018-15961)
Ryan Seguin
November 8, 2018
2 Min Read
Researchers at Volexity have identified multiple groups exploiting CVE-2018-15961 in unpatched, web-facing Adobe ColdFusion servers. Users are urged to upgrade to the latest version of ColdFusion.
## Background
On November 8, Volexity reported Advanced Persistent Threat (APT) and hacktivist groups have been targeting web-facing instances of Adobe ColdFusion that haven’t patched for CVE-2018-15961. Adobe released APSB18-33 to address the vulnerability on September 11, 2018.
## Impact assessment
The researchers at Volexity identified two separate and unrelated attacks on a number of web-facing ColdFusion servers
Volexity
Active Exploitation of Newly Patched ColdFusion Vulnerability (CVE-2018-15961)
blogs_volexity·2018-11-08·CVSS 9.8
CVE-2018-15961 [CRITICAL] Active Exploitation of Newly Patched ColdFusion Vulnerability (CVE-2018-15961)
Threat Intelligence
## Active Exploitation of Newly Patched ColdFusion Vulnerability (CVE-2018-15961)
November 8, 2018
Volexity Threat Research
If your organization is running an Internet-facing version of ColdFusion, you may want to take a close look at your server. Volexity recently observed active exploitation of a newly patched vulnerability in Adobe ColdFusion, for which no public details or proof-of-concept code exists. In the attack detected by Volexity, a suspected Chinese APT group was able to compromise a vulnerable ColdFusion server by directly uploading a China Chopper webshell. The target server was missing a single update from Adobe that had been released just two weeks earlier. On September 11, 2018, Adobe issued security bulletin APSB18-33 , which fixed a variety of iss
Volexity
Active Exploitation of Newly Patched ColdFusion Vulnerability (CVE-2018-15961)
blogs_volexity·2018-11-08·CVSS 9.8
CVE-2018-15961 [CRITICAL] Active Exploitation of Newly Patched ColdFusion Vulnerability (CVE-2018-15961)
Threat Intelligence
# Active Exploitation of Newly Patched ColdFusion Vulnerability (CVE-2018-15961)
November 8, 2018
Volexity Threat Research
If your organization is running an Internet-facing version of ColdFusion, you may want to take a close look at your server. Volexity recently observed active exploitation of a newly patched vulnerability in Adobe ColdFusion, for which no public details or proof-of-concept code exists. In the attack detected by Volexity, a suspected Chinese APT group was able to compromise a vulnerable ColdFusion server by directly uploading a China Chopper webshell. The target server was missing a single update from Adobe that had been released just two weeks earlier. On September 11, 2018, Adobe issued security bulletin APSB18-33, which fixed a variety of issue
http://www.securityfocus.com/bid/105314http://www.securitytracker.com/id/1041621https://helpx.adobe.com/security/products/coldfusion/apsb18-33.htmlhttps://www.exploit-db.com/exploits/45979/http://www.securityfocus.com/bid/105314http://www.securitytracker.com/id/1041621https://helpx.adobe.com/security/products/coldfusion/apsb18-33.htmlhttps://www.exploit-db.com/exploits/45979/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-15961
2018-09-25
Published
2021-11-03
Added to CISA KEV
Exploited in the wild