cbcvebase.
CVE-2022-35690
published 2022-10-14

CVE-2022-35690: Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by a Stack-based Buffer Overflow vulnerability that could result in…

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
72.21%
99.4th percentile
Adobe ColdFusion versions Update 14 (and earlier) and Update 4 (and earlier) are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, the vulnerability is triggered when a crafted network packet is sent to the server.

Affected

3 ranges
VendorProductVersion rangeFixed in
adobecoldfusion
adobecoldfusion
adobecoldfusionunspecified – CF2021U4

Detection & IOCsextracted from sources · hover to see the quote

port20009/TCP
filenameswagent.exe
snort
alert tcp any any -> $HOME_NET 20009 (msg:"ET EXPLOIT Adobe ColdFusion ODBC Agent Memory Corruption (CVE-2022-35690)"; flow:established,to_server; content:"GIOP"; startswith; content:"|00|"; distance:3; within:1; byte_test:4,=,0,4,relative; content:"IIOP|3a|slx|3a 3a|"; distance:0; fast_pattern; content:"SSP|00 00 00 00 00|"; distance:0; content:"|08|"; distance:0; byte_test:1,>,38,0,relative; reference:url,www.zerodayinitiative.com/blog/2023/1/18/cve-2022-35690-unauthenticated-rce-in-adobe-coldfusion; reference:url,www.sonicwall.com/blog/adobe-coldfusion-heap-buffer-overflow-vulnerability; reference:cve,2022-35690; classtype:attempted-admin; sid:2065686; rev:1; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2025_11_06, cve CVE_2022_35690, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Flag as suspicious if OpcodeDataSize of Opcode 7 exceeds 22 (stack overflow trigger) or OpcodeDataSize of Opcode 8 exceeds 38 (heap overflow trigger), or if OpcodeDataSize exceeds remaining bytes in the 0x3b-byte Opcodes window.
  • Parse Opcodes in the GIOP request body and stop processing once 0x3b bytes have been examined or opcode 9 is encountered; only opcodes 7 and 8 carry the variable-length OpcodeDataSize field that enables the overflow.
  • The vulnerable process is swagent.exe (ColdFusion ODBC Agent). Monitor for unexpected crashes or child processes spawned from swagent.exe as an indicator of exploitation or DoS.
  • ·The ColdFusion ODBC Agent does NOT fully follow the GIOP specification. ServiceContext and Principal fields must be 0 and Object Key must be exactly "IIOP:slx::" — deviations cause the agent to silently drop the packet without processing, meaning exploit attempts that deviate from this non-standard format will not reach the vulnerable code.
  • ·Applying the ColdFusion patch alone is insufficient — the JDK/JRE must also be updated to the latest LTS release for JDK 11, otherwise the server remains vulnerable.
  • ·All multi-byte values in the GIOP packet are big-endian; detection logic must account for this byte ordering when parsing OpcodeDataSize and other numeric fields.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.

CVE-2022-35690 — Stack-based Buffer Overflow in Adobe | cvebase