CVE-2010-2861

CRITICAL KEV RANSOMWARE NUCLEI

Adobe ColdFusion <9.0.1 - Path Traversal

Title source: llm

Exploitation Summary

CVE-2010-2861 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022, with confirmed use in ransomware campaigns. EIP tracks 4 public exploits from researchers including Metasploit, anonymous, greysneakthief, including a Metasploit module auxiliary/scanner/http/coldfusion_locale_traversal. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module exploits a directory traversal vulnerability in Adobe ColdFusion (CVE-2010-2861) to read the password.properties file, bypass authentication, and achieve remote code execution by scheduling a malicious task.

Description

Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/16985

View Code ZIP pw:eip

This Metasploit module exploits a directory traversal vulnerability in Adobe ColdFusion (CVE-2010-2861) to read the password.properties file, bypass authentication, and achieve remote code execution by scheduling a malicious task.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Adobe ColdFusion 8 and below

No auth needed

Prerequisites: Network access to the ColdFusion administrator interface · ColdFusion version 8 or below

MITRE ATT&CK

T1005 - Data from Local System T1059 - Command and Scripting Interpreter T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by anonymous · pythonremotemultiple

https://www.exploit-db.com/exploits/14641

View Code ZIP pw:eip

This exploit leverages a directory traversal vulnerability in Adobe ColdFusion to read arbitrary files by manipulating the 'locale' parameter in POST requests. It attempts multiple admin page filenames to bypass restrictions and retrieves file contents via HTTP responses.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Adobe ColdFusion 8

No auth needed

Prerequisites: Network access to the ColdFusion server · Vulnerable ColdFusion version

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by greysneakthief · infoleak

https://github.com/greysneakthief/14641-v2

View Code ZIP pw:eip

This repository contains a functional Python 3 port of the CVE-2010-2861 ColdFusion directory traversal exploit. The script sends crafted HTTP POST requests to vulnerable ColdFusion endpoints, leveraging a null-byte injection in the 'locale' parameter to read arbitrary files, such as password.properties.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Adobe ColdFusion (versions affected by CVE-2010-2861)

No auth needed

Prerequisites: Network access to the ColdFusion server · Vulnerable ColdFusion endpoint exposed

MITRE ATT&CK

T1006 - Direct Volume Access T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 19, 2026 Full analysis →

metasploit WORKING POC

by CG, nebulus · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/coldfusion_locale_traversal.rb

View Code ZIP pw:eip

This Metasploit module exploits a directory traversal vulnerability in Adobe ColdFusion via the 'locale' parameter to retrieve sensitive files like password.properties. It includes fingerprinting to identify vulnerable versions and OS-specific traversal paths.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Adobe ColdFusion MX6, MX7, 8.0, 8.0.1 (prior to patches)

No auth needed

Prerequisites: Network access to the ColdFusion administrator interface · Vulnerable ColdFusion version (MX6, MX7, 8.0, or 8.0.1 without patches)

MITRE ATT&CK

T1006 - Direct Volume Access T1083 - File and Directory Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI

HIGHby pikpikcu

Shodan:

http.component:"Adobe ColdFusion" || http.component:"adobe coldfusion" || http.title:"coldfusion administrator login" || cpe:"cpe:2.3:a:adobe:coldfusion"

FOFA: title="coldfusion administrator login" || app="adobe-coldfusion"

References (6)

Core 6

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-2861

Exploit x_refsource_misc

http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/

Broken Link x_refsource_misc

http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07

Not Applicable, Vendor Advisory x_refsource_confirm

http://www.adobe.com/support/security/bulletins/apsb10-18.html

Broken Link third-party-advisory x_refsource_sreason

http://securityreason.com/securityalert/8137

Broken Link third-party-advisory x_refsource_sreason

http://securityreason.com/securityalert/8148

Scores

CVSS v3 9.8

EPSS 0.9424

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2022-03-25

VulnCheck KEV 2021-09-21

InTheWild.io 2022-03-25

ENISA EUVD EUVD-2010-2865

Ransomware Use Confirmed

CWE

CWE-22

Status published

Products (1)

adobe/coldfusion < 9.0.1

Published Aug 11, 2010

KEV Added Mar 25, 2022

Tracked Since Feb 18, 2026