module
Adobe ColdFusion Unauthenticated Arbitrary File Read
| Disclosed |
|---|
| N/A |
Disclosed
N/A
Description
This module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe
ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to read
an arbitrary file from the server.
To run this module you must provide a valid ColdFusion Component (CFC) endpoint via the CFC_ENDPOINT option,
and a valid remote method name from that endpoint via the CFC_METHOD option. By default an endpoint in the
ColdFusion Administrator (CFIDE) is provided. If the CFIDE is not accessible you will need to choose a
different CFC endpoint, method and parameters.
ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in order to read
an arbitrary file from the server.
To run this module you must provide a valid ColdFusion Component (CFC) endpoint via the CFC_ENDPOINT option,
and a valid remote method name from that endpoint via the CFC_METHOD option. By default an endpoint in the
ColdFusion Administrator (CFIDE) is provided. If the CFIDE is not accessible you will need to choose a
different CFC endpoint, method and parameters.
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.