CVE-2013-0625
Published: 09 January 2013
Summary
CVE-2013-0625 is a critical-severity Improper Authentication (CWE-287) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
Adobe ColdFusion versions 9.0, 9.0.1, and 9.0.2 contain an authentication bypass vulnerability when no password is configured for the server. The flaw, tracked as CWE-287, permits remote attackers to circumvent authentication controls and potentially execute arbitrary code through unspecified vectors, resulting in a CVSS 3.1 base score of 9.8.
Remote unauthenticated attackers can exploit the issue over the network to gain unauthorized access and achieve code execution on affected ColdFusion installations. The vulnerability was actively exploited in the wild during January 2013.
Adobe published security advisories APSA13-01 and APSB13-03 along with related bulletins that address the issue for the impacted ColdFusion releases. The condition that a password is not configured is explicitly required for the bypass to succeed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-0636
Vulnerability details
Adobe ColdFusion 9.0, 9.0.1, and 9.0.2, when a password is not configured, allows remote attackers to bypass authentication and possibly execute arbitrary code via unspecified vectors, as exploited in the wild in January 2013.
- CWE(s)
- KEV Date Added
- 07 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication requirements that the CVE bypasses when no password is configured.
Requires identification and authentication prior to granting access, blocking the unauthenticated remote access path exploited by the CVE.
Mandates secure configuration settings that would ensure a password is configured, eliminating the prerequisite condition for the bypass.