CVE-2013-0625

CRITICAL KEV

Adobe ColdFusion <9.0.2 - Auth Bypass

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2013-0625 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 7, 2022. EIP tracks 1 public exploit.

AI-analyzed exploit summary This Metasploit module exploits multiple vulnerabilities in Adobe ColdFusion APSB13-03, including CVE-2013-0625 for arbitrary command execution via scheduleedit.cfm, CVE-2013-0629 for directory traversal, and CVE-2013-0632 for authentication bypass. It leverages scheduled tasks to drop and execute payloads on the target system.

Description

Adobe ColdFusion 9.0, 9.0.1, and 9.0.2, when a password is not configured, allows remote attackers to bypass authentication and possibly execute arbitrary code via unspecified vectors, as exploited in the wild in January 2013.

Exploits (1)

exploitdb WORKING POC
rubyremotemultiple
https://www.exploit-db.com/exploits/24946

This Metasploit module exploits multiple vulnerabilities in Adobe ColdFusion APSB13-03, including CVE-2013-0625 for arbitrary command execution via scheduleedit.cfm, CVE-2013-0629 for directory traversal, and CVE-2013-0632 for authentication bypass. It leverages scheduled tasks to drop and execute payloads on the target system.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Adobe ColdFusion (versions affected by APSB13-03)
Auth required
Prerequisites: Network access to the ColdFusion server · Valid credentials or authentication bypass · ColdFusion administrator interface accessible
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/57164

Scores

CVSS v3 9.8
EPSS 0.9380
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-03-07
VulnCheck KEV 2013-01-09
InTheWild.io 2013-01-18
ENISA EUVD EUVD-2013-0636
CWE
CWE-287
Status published
Products (3)
adobe/coldfusion 9.0
adobe/coldfusion 9.0.1
adobe/coldfusion 9.0.2
Published Jan 09, 2013
KEV Added Mar 07, 2022
Tracked Since Feb 18, 2026