← back
CVE-2013-0625

CVE-2013-0625

CVSS 9.8 CRITICALEPSS 93.8%● KEVCWE-287
In short

Adobe ColdFusion 9.0 and early versions can be accessed without authentication if no password is set, allowing attackers to take complete control of the server and run malicious code.

Technical detail

ColdFusion 9.0–9.0.2 lacks proper authentication enforcement when administrative credentials are unconfigured, enabling remote unauthenticated access via unspecified vectors that lead to arbitrary code execution. This affects default or improperly initialized deployments and was actively exploited in January 2013.

Summary generated and translated by AI from the official description.
Adobe ColdFusion 9.0, 9.0.1, and 9.0.2, when a password is not configured, allows remote attackers to bypass authentication and possibly execute arbitrary code via unspecified vectors, as exploited in the wild in January 2013.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found1
exploitdbwww.exploit-db.com/exploits/24946unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0625http://www.adobe.com/support/security/advisories/apsa13-01.htmlhttp://www.adobe.com/support/security/bulletins/apsb13-03.htmlhttp://www.securityfocus.com/bid/57164