CVE-2013-0632

critical-risk
Published 2013-01-17

administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative web interface, as exploited in the wild in January 2013.

Do I need to act?

!
92.7% chance of exploitation in next 30 days
EPSS score — higher than 7% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
!
3 public exploits available
30210, 24946, 27755
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (4)

Affected Vendors

Adobe

References (7)

Mitigation http://www.adobe.com/support/security/advisories/apsa13-01.html
Broken Link http://www.adobe.com/support/security/bulletins/apsb13-03.html
Exploit http://www.exploit-db.com/exploits/30210
Mitigation http://www.adobe.com/support/security/advisories/apsa13-01.html
Broken Link http://www.adobe.com/support/security/bulletins/apsb13-03.html
Exploit http://www.exploit-db.com/exploits/30210
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-...
76
/ 100
critical-risk
Severity 32/34 · Critical
Exploitability 34/34 · Critical
Exposure 10/34 · Low