Cyber Resilience

CVE-2013-0625

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 09 January 2013

Published
09 January 2013
Modified
21 April 2026
KEV Added
07 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7834 99.1th percentile
Risk Priority 87 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-0625 is a critical-severity Improper Authentication (CWE-287) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

Adobe ColdFusion versions 9.0, 9.0.1, and 9.0.2 contain an authentication bypass vulnerability when no password is configured for the server. The flaw, tracked as CWE-287, permits remote attackers to circumvent authentication controls and potentially execute arbitrary code through unspecified vectors, resulting in a CVSS 3.1 base score of 9.8.

Remote unauthenticated attackers can exploit the issue over the network to gain unauthorized access and achieve code execution on affected ColdFusion installations. The vulnerability was actively exploited in the wild during January 2013.

Adobe published security advisories APSA13-01 and APSB13-03 along with related bulletins that address the issue for the impacted ColdFusion releases. The condition that a password is not configured is explicitly required for the bypass to succeed.

EU & UK References

Vulnerability details

Adobe ColdFusion 9.0, 9.0.1, and 9.0.2, when a password is not configured, allows remote attackers to bypass authentication and possibly execute arbitrary code via unspecified vectors, as exploited in the wild in January 2013.

CWE(s)
KEV Date Added
07 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
coldfusion
9.0, 9.0.1, 9.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication requirements that the CVE bypasses when no password is configured.

prevent

Requires identification and authentication prior to granting access, blocking the unauthenticated remote access path exploited by the CVE.

prevent

Mandates secure configuration settings that would ensure a password is configured, eliminating the prerequisite condition for the bypass.

References