ColdFusion verifyldapserver vulnerability

Added: 03/07/2022

Background

Adobe ColdFusion is a web application development platform written in Java.

Problem

The verifyldapserver method in utils.cfc allows a remote attacker to cause the server to download a Java class from an arbitrary LDAP server, leading to remote code execution.

Resolution

Upgrade to ColdFusion 11 Update 15 or higher.

References

https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html
https://packetstormsecurity.com/files/166108/Adobe-ColdFusion-11-Remote-Code-Execution.html

Limitations

Exploit works on ColdFusion 11.

Platforms

Windows
Linux

Back to exploit index