CVE-2024-20767
published 2024-03-18CVE-2024-20767: ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An…
PriorityP189high7.4CVSS 3.1
AVNACHPRNUINSUCHIHAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-01-06
Exploited in the wild
EPSS
98.51%
99.9th percentile
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | coldfusion | <= 2021.12 | — |
| adobe | coldfusion | — | — |
| adobe | coldfusion | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/hax/../pms?module=logging&file_name=../../../../../../../../../../../../../../../../../../etc/passwd&number_of_lines=1000↗
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M3 - Heap Memory Dump Module Unauthorized Memory Dump Attempt (CVE-2024-20767)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pms?module=heap_dump&username="; fast_pattern; startswith; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; content:"action=take"; endswith; http.request_header; content:"uuid|3a 20|"; nocase; pcre:"/^[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}[a-f0-9]{12}/R"; reference:url,jeva.cc/2973.html; reference:cve,2024-20767; classtype:attempted-admin; sid:2056087; rev:1; metadata:affected_product Adobe_Coldfusion, attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_09_23, cve CVE_2024_20767, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_09_23; target:dest_ip;)- →Step 1 of exploit: Unauthenticated GET to the servermanager.cfc getHeartBeat method returns a UUID (wddxPacket-wrapped) used as an auth token for subsequent file-read requests. ↗
- →Step 2 of exploit: File read request is sent to /pms with a path-traversal file_name parameter and the UUID supplied in a custom 'uuid' HTTP request header. Detect the uuid header on requests to /pms. ↗
- →Nuclei matcher: a successful exploit chain produces a response body containing 'wddxPacket' on the first request and a second response with Content-Type application/json and body containing '/bin/bash'.
- →The UUID token extracted from the first response matches the regex pattern used in the Snort rule: ^[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}[a-f0-9]{12}. Alert on this pattern appearing in a 'uuid' request header to /pms.
- →Path traversal sequences in the file_name parameter of /pms requests (dot-dot sequences, URL-encoded variants %2e, %2f, %5c) are a key detection signal per the Snort PCRE.
- →The heap_dump module variant of the attack targets /pms?module=heap_dump&username= with action=take at the end of the URI — monitor for this specific pattern as a high-confidence indicator of exploitation.
- →Path-traversal bypass uses /hax/.. prefix to reach protected CFIDE paths — monitor for requests containing '..CFIDE' or '/hax/../' in the URI.
- →Over 145,000 Internet-exposed ColdFusion servers tracked by Fofa; use Shodan query http.component:"Adobe ColdFusion" to identify exposed instances for prioritised patching/monitoring. ↗
- ·Exploitation requires the ColdFusion admin panel to be exposed to the internet. Instances with the admin panel not internet-accessible are not exploitable via this vector. ↗
- ·Beyond arbitrary file read, successful exploitation of internet-exposed admin panels can also enable arbitrary file system writes, escalating impact beyond the base CVE description. ↗
- ·The Snort rule (sid:2056087) requires TLS decryption (tls_state TLSDecrypt / deployment SSLDecrypt) to fire on HTTPS-protected ColdFusion instances.
CVSS provenance
nvdv3.17.4HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck7.4HIGH
cisa7.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r73p-8gx8-7pvg: ColdFusion versions 2023
ghsa_unreviewed·2024-03-18
CVE-2024-20767 [HIGH] CWE-284 GHSA-r73p-8gx8-7pvg: ColdFusion versions 2023
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. Exploitation of this issue does not require user interaction.
VulnCheck
Adobe ColdFusion Improper Access Control Vulnerability
vulncheck·2024·CVSS 7.4
CVE-2024-20767 [HIGH] CWE-284 Adobe ColdFusion Improper Access Control Vulnerability
Adobe ColdFusion Improper Access Control Vulnerability
Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted files via an internet-exposed admin panel.
Affected: Adobe ColdFusion
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-11&host_type=src&vulnerability=cve-2024-20767; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-17&host_type=src&vulnerability=cve-2024-20767; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-27&host_type=src&vulnerability=cve-2024-20
CISA
Adobe ColdFusion Improper Access Control Vulnerability
cisa·2024-12-16·CVSS 7.4
CVE-2024-20767 [HIGH] CWE-284 Adobe ColdFusion Improper Access Control Vulnerability
Vulnerability: Adobe ColdFusion Improper Access Control Vulnerability
Affected: Adobe ColdFusion
Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted files via an internet-exposed admin panel.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html ; https://nvd.nist.gov/vuln/detail/CVE-2024-20767
Remediation Due Date: 2025-01-06
Suricata
ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M3 - Heap Memory Dump Module Unauthorized Memory Dump Attempt (CVE-2024-20767)
suricata·2024-09-23·CVSS 7.4
CVE-2024-20767 [HIGH] ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M3 - Heap Memory Dump Module Unauthorized Memory Dump Attempt (CVE-2024-20767)
ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M3 - Heap Memory Dump Module Unauthorized Memory Dump Attempt (CVE-2024-20767)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M3 - Heap Memory Dump Module Unauthorized Memory Dump Attempt (CVE-2024-20767)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pms?module=heap_dump&username="; fast_pattern; startswith; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; content:"action=take"; endswith; http.request_header; content:"uuid|3a 20|"; nocase; pcre:"/^[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}[a-f0-9]{12}/R"; reference:url,jeva.cc/2973.html; reference:cve,2024-20767; classtype:attempted-admin; sid:2056087; rev:1;
Suricata
ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M1 - UUID Leak Via servermanager.cfc getHeartBeat Method (CVE-2024-20767)
suricata·2024-09-23·CVSS 7.4
CVE-2024-20767 [HIGH] ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M1 - UUID Leak Via servermanager.cfc getHeartBeat Method (CVE-2024-20767)
ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M1 - UUID Leak Via servermanager.cfc getHeartBeat Method (CVE-2024-20767)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M1 - UUID Leak Via servermanager.cfc getHeartBeat Method (CVE-2024-20767)"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:68; content:"/CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat"; fast_pattern; reference:url,jeva.cc/2973.html; reference:cve,2024-20767; classtype:attempted-admin; sid:2056086; rev:1; metadata:affected_product Adobe_Coldfusion, tls_state TLSDecrypt, created_at 2024_09_23, cve CVE_2024_20767, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact L
Suricata
ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M2 - logging Module Directory Traversal Attempt (CVE-2024-20767)
suricata·2024-05-30·CVSS 7.4
CVE-2024-20767 [HIGH] ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M2 - logging Module Directory Traversal Attempt (CVE-2024-20767)
ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M2 - logging Module Directory Traversal Attempt (CVE-2024-20767)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER Adobe ColdFusion Arbitrary File Read Vulnerability M2 - logging Module Directory Traversal Attempt (CVE-2024-20767)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pms?module=logging&file_name="; fast_pattern; startswith; pcre:"/^.{0,10}(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; content:"&number_of_lines="; distance:0; http.header; content:"uuid|3a 20|"; nocase; pcre:"/^[a-f0-9]{8}(?:[a-f0-9]{4}-){3}[a-f0-9]{12}/R"; reference:url,jeva.cc/2973.html; reference:url,nvd.nist.gov/vuln/detail/CVE-2024-20767; reference:cve,2024-20767; classtype:attempted-us
Exploit-DB
Adobe ColdFusion 2023.6 - Remote File Read
exploitdb·2025-07-28·CVSS 7.4
CVE-2024-20767 [HIGH] Adobe ColdFusion 2023.6 - Remote File Read
Adobe ColdFusion 2023.6 - Remote File Read
---
# Exploit Title: Adobe ColdFusion 2023.6 - Remote File Read
# Exploit Author: @İbrahimsql
# Exploit Author's github: https://github.com/ibrahmsql
# Description: ColdFusion 2023 (LUcee) - Remote Code Execution
# CVE: CVE-2024-20767
# Vendor Homepage: https://www.adobe.com/
# Requirements: requests>=2.25.0, urllib3>=1.26.0
# Usage: python3 CVE-2024-20767.py -u http://target.com -f /etc/passwd
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import os
import re
import urllib3
import requests
import argparse
from urllib.parse import urlparse
from concurrent.futures import ThreadPoolExecutor, as_completed
urllib3.disable_warnings()
class ColdFusionExploit:
def __init__(self, output_file=None, port=8500):
self.output_file = output_file
self.port
Metasploit
CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read
metasploit·CVSS 7.4
CVE-2024-20767 [HIGH] CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read
CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read
This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version '2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.
Nuclei
Adobe ColdFusion - Arbitrary File Read
nuclei·CVSS 7.4
CVE-2024-20767 [HIGH] Adobe ColdFusion - Arbitrary File Read
Adobe ColdFusion - Arbitrary File Read
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access to sensitive files and perform arbitrary file system write. Exploitation of this issue does not require user interaction.
Template:
id: CVE-2024-20767
info:
name: Adobe ColdFusion - Arbitrary File Read
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could leverage this vulnerability to bypass security measures and
Bleepingcomputer
Windows kernel bug now exploited in attacks to gain SYSTEM privileges
blogs_bleepingcomputer·2024-12-16·CVSS 7.4
CVE-2024-35250 [HIGH] Windows kernel bug now exploited in attacks to gain SYSTEM privileges
## Windows kernel bug now exploited in attacks to gain SYSTEM privileges
## Sergiu Gatlan
CISA has warned U.S. federal agencies to secure their systems against ongoing attacks targeting a high-severity Windows kernel vulnerability.
Tracked as CVE-2024-35250, this security flaw is due to an untrusted pointer dereference weakness that allows local attackers to gain SYSTEM privileges in low-complexity attacks that don't require user interaction.
While Microsoft didn't share more details in a security advisory published in June, the DEVCORE Research Team that found the flaw and reported it to Microsoft through Trend Micro's Zero Day Initiative says the vulnerable system component is the Microsoft Kernel Streaming Service (MSKSSRV.SYS).
DEVCORE security researchers used this MSKSSRV privil
Greynoiseio
NoiseLetter April 2024
blogs_greynoiseio
NoiseLetter April 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-03-18
Published
2024-12-16
Added to CISA KEV
Exploited in the wild