CVE-2013-3336

EXPLOITED

Adobe ColdFusion <10 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2013-3336 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including HTP, HTP, sinn3r, nebulus, including a Metasploit module auxiliary/gather/coldfusion_pwd_props.

AI-analyzed exploit summary This exploit leverages a Local File Inclusion (LFI) vulnerability in Adobe ColdFusion 9/10 to disclose sensitive information, including absolute paths and credentials stored in password.properties. It performs fingerprinting and OS detection before attempting to extract credentials.

Description

Unspecified vulnerability in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to read arbitrary files via unknown vectors.

Exploits (2)

exploitdb WORKING POC
by HTP · pythonwebappsmultiple
https://www.exploit-db.com/exploits/25305

This exploit leverages a Local File Inclusion (LFI) vulnerability in Adobe ColdFusion 9/10 to disclose sensitive information, including absolute paths and credentials stored in password.properties. It performs fingerprinting and OS detection before attempting to extract credentials.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Adobe ColdFusion 9/10
No auth needed
Prerequisites: Network access to the ColdFusion administrator interface · ColdFusion 9/10 with default or vulnerable configuration
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by HTP, sinn3r, nebulus · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/coldfusion_pwd_props.rb

This Metasploit module exploits a directory traversal vulnerability in ColdFusion to extract sensitive information such as password hashes from the 'password.properties' file. It targets ColdFusion 9 and 10 by leveraging a path traversal technique to access restricted files.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Adobe ColdFusion 9, 10
No auth needed
Prerequisites: Network access to the ColdFusion administrator interface · Vulnerable ColdFusion version (9 or 10)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/25305

Scores

EPSS 0.8589
EPSS Percentile 99.4%

Details

VulnCheck KEV 2013-05-14
Status published
Products (4)
adobe/coldfusion 9.0
adobe/coldfusion 9.0.1
adobe/coldfusion 9.0.2
adobe/coldfusion 10.0
Published May 09, 2013
Tracked Since Feb 18, 2026