Cyber Resilience

CVE-2013-0629

HighCISA KEVActive ExploitationEUVD Exploited

Published: 09 January 2013

Published
09 January 2013
Modified
21 April 2026
KEV Added
07 March 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.8181 99.2th percentile
Risk Priority 84 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-0629 is a high-severity an unspecified weakness vulnerability in Adobe Coldfusion. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

Adobe ColdFusion versions 9.0, 9.0.1, 9.0.2, and 10 are affected by CVE-2013-0629 when no password is configured for the installation. The flaw permits unauthorized access to restricted directories through unspecified vectors and carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and no required authentication or user interaction.

Unauthenticated remote attackers can exploit the condition to read files outside intended web-accessible paths. The vulnerability was observed being exploited in the wild in January 2013.

Adobe addressed the issue in security advisories APSA13-01 and APSB13-03, which provide mitigation guidance and link to the corresponding bulletin APSB13-03 for patch information.

EU & UK References

Vulnerability details

Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10, when a password is not configured, allows attackers to access restricted directories via unspecified vectors, as exploited in the wild in January 2013.

CWE(s)
KEV Date Added
07 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
coldfusion
10.0, 9.0, 9.0.1, 9.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access control decisions to block unauthenticated requests to restricted directories when no password is configured.

prevent

Requires identification and authentication before granting access, eliminating the unauthenticated directory traversal condition described in the CVE.

prevent

Mandates secure baseline configuration settings that would ensure a password is set during ColdFusion installation, closing the reported attack vector.

References