CVE-2013-0632
CVE-2013-0632
In short
Adobe ColdFusion's administrative interface could be accessed without a password through the RDS component, allowing attackers to take full control of the server. This was actively exploited by hackers in early 2013.
Technical detail
The RDS (Remote Development Services) component in ColdFusion 9.0–10 accepts connections with an empty default password, enabling unauthenticated access to the administrator.cfc interface. An attacker can establish an RDS session and leverage it to access the administrative web interface, bypassing authentication and potentially executing arbitrary code with administrative privileges.
Summary generated and translated by AI from the official description.
administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative web interface, as exploited in the wild in January 2013.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 4
cve_referencewww.exploit-db.com/exploits/30210unverifiedexploitdbwww.exploit-db.com/exploits/30210unverifiedexploitdbwww.exploit-db.com/exploits/24946unverifiedexploitdbwww.exploit-db.com/exploits/27755unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →