cbcvebase.
CVE-2024-20767
published 2024-03-18

CVE-2024-20767: ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An…

PriorityP189high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-01-06
Exploited in the wild
EPSS
98.51%
99.9th percentile
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.

Affected

3 ranges
VendorProductVersion rangeFixed in
adobecoldfusion<= 2021.12
adobecoldfusion
adobecoldfusion

Detection & IOCsextracted from sources · hover to see the quote

url/CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat
url/pms?module=logging&file_name=../../../../../../../{file_path}&number_of_lines=100
url/hax/..CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat
url/hax/../pms?module=logging&file_name=../../../../../../../../../../../../../../../../../../etc/passwd&number_of_lines=1000
path/pms
port8500
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M3 - Heap Memory Dump Module Unauthorized Memory Dump Attempt (CVE-2024-20767)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pms?module=heap_dump&username="; fast_pattern; startswith; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; content:"action=take"; endswith; http.request_header; content:"uuid|3a 20|"; nocase; pcre:"/^[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}[a-f0-9]{12}/R"; reference:url,jeva.cc/2973.html; reference:cve,2024-20767; classtype:attempted-admin; sid:2056087; rev:1; metadata:affected_product Adobe_Coldfusion, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_09_23, cve CVE_2024_20767, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_09_23; target:dest_ip;)
  • Step 1 of exploit: Unauthenticated GET to the servermanager.cfc getHeartBeat method returns a UUID (wddxPacket-wrapped) used as an auth token for subsequent file-read requests.
  • Step 2 of exploit: File read request is sent to /pms with a path-traversal file_name parameter and the UUID supplied in a custom 'uuid' HTTP request header. Detect the uuid header on requests to /pms.
  • Nuclei matcher: a successful exploit chain produces a response body containing 'wddxPacket' on the first request and a second response with Content-Type application/json and body containing '/bin/bash'.
  • The UUID token extracted from the first response matches the regex pattern used in the Snort rule: ^[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}[a-f0-9]{12}. Alert on this pattern appearing in a 'uuid' request header to /pms.
  • Path traversal sequences in the file_name parameter of /pms requests (dot-dot sequences, URL-encoded variants %2e, %2f, %5c) are a key detection signal per the Snort PCRE.
  • The heap_dump module variant of the attack targets /pms?module=heap_dump&username= with action=take at the end of the URI — monitor for this specific pattern as a high-confidence indicator of exploitation.
  • Path-traversal bypass uses /hax/.. prefix to reach protected CFIDE paths — monitor for requests containing '..CFIDE' or '/hax/../' in the URI.
  • Over 145,000 Internet-exposed ColdFusion servers tracked by Fofa; use Shodan query http.component:"Adobe ColdFusion" to identify exposed instances for prioritised patching/monitoring.
  • ·Exploitation requires the ColdFusion admin panel to be exposed to the internet. Instances with the admin panel not internet-accessible are not exploitable via this vector.
  • ·Beyond arbitrary file read, successful exploitation of internet-exposed admin panels can also enable arbitrary file system writes, escalating impact beyond the base CVE description.
  • ·The Snort rule (sid:2056087) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to fire on HTTPS-protected ColdFusion instances.

CVSS provenance

nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck7.4HIGH
cisa7.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.