Despite patches, critical vulnerabilities in Adobe ColdFusion exploited

Fortinet has detected ongoing threats targeting Adobe ColdFusion, a web development platform, despite the release of multiple security updates (APSB23-40, APSB23-41, and APSB23-47) by Adobe in July. These updates were issued in response to reports of critical vulnerabilities in the platform.

Despite these updates, Fortinet's FortiGuard Labs IPS telemetry data continues to identify numerous attempts to exploit one of these vulnerabilities, specifically the deserialization of untrusted data within the Web Distributed Data eXchange (WDDX) component used in certain ColdFusion requests.

This vulnerability is of utmost concern due to its potential for arbitrary code execution.

The observed attacks encompass various activities, including probing, utilizing an interactsh tool for generating domain names to test exploit success (which can also be exploited by attackers), and establishing reverse shells, often referred to as remote or connect-back shells. These reverse shells are used to exploit vulnerabilities within a target system by initiating a shell session, ultimately granting access to the victim's computer.

ColdFusion’s deserialization vulnerability

• XMRig Miner, which leverages computer processing cycles to mine for the Monero cryptocurrency.
• Satan DDoS/Lucifer, a hybrid bot that combines cryptojacking and distributed denial of service (DDoS) functionalities.
• RudeMiner/SpreadMiner, with similar functionalities as Lucifer.
• BillGates/Setag, a backdoor known for hijacking systems, communicating with command and control servers and initiating attacks.

Despite the release of patches for these vulnerabilities, ongoing public attacks persist. We strongly recommend that users promptly upgrade affected systems and implement FortiGuard protection to prevent threat probing.

For Further Reference

https://www.infosecurity-magazine.com/news/adobe-coldfusion-vulnerabilities/