CVE-2013-0632

CRITICAL KEV

Adobe ColdFusion <10 - Auth Bypass

Title source: llm

Description

administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative web interface, as exploited in the wild in January 2013.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/30210

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/24946

View Code ZIP pw:eip

exploitdb WORKING POC

by Scott Buckel · textwebappswindows

https://www.exploit-db.com/exploits/27755

View Code ZIP pw:eip

metasploit WORKING POC GREAT

by Scott Buckel · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/coldfusion_rds_auth_bypass.rb

View Code ZIP pw:eip

References (4)

[Mitigation, Vendor Advisory] http://www.adobe.com/support/security/advisories/apsa13-01.html

[Broken Link, Vendor Advisory] http://www.adobe.com/support/security/bulletins/apsb13-03.html

[Exploit, Third Party Advisory, VDB Entry] http://www.exploit-db.com/exploits/30210

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-0632

Scores

CVSS v3 9.8

EPSS 0.9268

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-03-03

VulnCheck KEV 2013-01-17

InTheWild.io 2014-01-17

ENISA EUVD EUVD-2013-0643

CWE

CWE-276

Status published

Products (4)

adobe/coldfusion 9.0

adobe/coldfusion 9.0.1

adobe/coldfusion 9.0.2

adobe/coldfusion 10.0

Published Jan 17, 2013

KEV Added Mar 03, 2022

Tracked Since Feb 18, 2026