cbcvebase.
CVE-2018-15961
published 2018-09-25

CVE-2018-15961: Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.95%
100.0th percentile
Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobecoldfusion
adobecoldfusion
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm?action=upload
path/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm
path/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/
filenameup.php.fla
otherddbb3e76f92e78c445c8ecb392beb225
  • Exploit arrives as an unauthenticated HTTP POST to /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm with query parameter action=upload; no authentication is required.
  • Attackers upload a JSP webshell (China Chopper JSP variant) via the CKEditor filemanager plugin; look for newly created .jsp files under /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/.
  • Defaced sites contain a characteristic hacktivist message string; presence of this string in web-accessible files under /cf_scripts/ indicates compromise.
  • Restrict access to /CFIDE/administrator to approved IP addresses only to limit post-exploitation administrative access.
  • The Nuclei template for this CVE uses the MD5 word matcher 'ddbb3e76f92e78c445c8ecb392beb225' in the HTTP response from the uploaded JSP to confirm successful exploitation.
  • ·The CKEditor filemanager settings.cfm configuration file controls which file extensions are blocked for upload; the default configuration prior to the patch did NOT include .jsp in the block list, enabling JSP webshell uploads. After patching, .jsp is added to the disallowed list.
  • ·Even with a corrected extension block list, the 'path' form variable directory traversal issue allowed placement of files outside the intended upload directory; both issues were addressed in the Adobe update.
  • ·The vulnerability is rooted in the CKEditor filemanager plugin introduced when Adobe replaced FCKeditor with CKEditor; the upload endpoint is unauthenticated by default.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.