Fortinet FortiGuard Labs has observed ongoing exploitation of vulnerabilities in Adobe ColdFusion, specifically a critical flaw (CVE-2021-21087) that allows for arbitrary code execution. Despite security updates released by Adobe [6], remote attackers are still able to execute arbitrary code and take control of affected systems. This flaw is related to improper input validation [2], enabling attackers to launch malicious attacks [2].
Description
FortiGuard Labs has detected numerous attempts to exploit the deserialization vulnerability in ColdFusion [4] [6], with attackers deploying various malware strains. These include XMRig Miner for cryptocurrency mining [3], Satan DDoS (aka Lucifer) and RudeMiner (aka SpreadMiner) for cryptojacking and DDoS attacks, and BillGates (aka Setag) backdoor for system hijacking [3], stealing sensitive information [1], and initiating DDoS attacks [1]. Fortinet has observed significant threat exploitation targeting Adobe ColdFusion [4] [6], despite security updates released by Adobe [6]. The attacks include probing and establishing reverse shells [4] [6]. Four malware variants have been identified [4] [6], including XMRig Miner and Satan DDoS/Lucifer [4] [6].
Furthermore, Adobe has released an emergency patch for a critical vulnerability in its ColdFusion service (CVE-2019-7816) [5]. This vulnerability allows for a bypass of file upload restrictions [5], potentially leading to arbitrary code execution [5]. It affects ColdFusion 2018 [5], update 2 and earlier; ColdFusion 2016 [5], update 9 and earlier; and ColdFusion 11 [5], update 17 and earlier versions [5]. The security update has a priority 1 rating [5], indicating that it addresses vulnerabilities actively being exploited in the wild [5].
Conclusion
The ongoing exploitation of vulnerabilities in Adobe ColdFusion poses significant risks to affected systems. Despite security updates [2] [3] [4] [5] [6], remote attackers are still able to execute arbitrary code and gain control. It is crucial for users to promptly upgrade affected systems and apply FortiGuard protection to mitigate these ongoing attacks. The history of security flaws in ColdFusion highlights the importance of proactive measures to address vulnerabilities. The release of emergency patches by Adobe demonstrates the severity of the situation and the need for immediate action.
References
[1] https://thehackernews.com/2023/09/poc-exploit-released-for-critical.html
[2] https://threatpost.com/adobe-critical-coldfusion-flaw-update/164946/
[3] https://www.hackread.com/hackers-adobe-coldfusion-vulnerabilities-malware/
[4] https://www.infosecurity-magazine.com/news/adobe-coldfusion-vulnerabilities/
[5] https://threatpost.com/adobe-patches-critical-coldfusion-vulnerability-with-active-exploit/142391/
[6] https://mywitan.com/2023/09/02/adobe-coldfusion-critical-vulnerabilities-exploited-despite-patches/
