Cyber Resilience

CVE-2013-0631

HighCISA KEVActive ExploitationEUVD Exploited

Published: 09 January 2013

Published
09 January 2013
Modified
21 April 2026
KEV Added
07 March 2022
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.8163 99.2th percentile
Risk Priority 84 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-0631 is a high-severity an unspecified weakness vulnerability in Adobe Coldfusion. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AU-13 (Monitoring for Information Disclosure).

Deeper analysis

Adobe ColdFusion versions 9.0, 9.0.1, and 9.0.2 contain an unspecified information disclosure vulnerability that can be triggered over the network. The flaw carries a CVSS 3.1 base score of 7.5, reflecting high confidentiality impact with no authentication or user interaction required.

Remote attackers can exploit the weakness to obtain sensitive information from affected servers. Public records indicate the vulnerability was actively exploited in the wild as early as January 2013.

Adobe addressed the issue through security advisories APSA13-01 and APSB13-03, which include mitigation guidance and patch information. The vulnerability is also catalogued by CISA as a known exploited vulnerability, confirming ongoing real-world targeting of unpatched ColdFusion 9 installations.

EU & UK References

Vulnerability details

Adobe ColdFusion 9.0, 9.0.1, and 9.0.2 allows attackers to obtain sensitive information via unspecified vectors, as exploited in the wild in January 2013.

CWE(s)
KEV Date Added
07 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
coldfusion
9.0, 9.0.1, 9.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of Adobe patches (APSB13-03) to eliminate the remote information disclosure flaw in ColdFusion 9.

prevent

Boundary protection can restrict network exposure of unpatched ColdFusion servers, blocking the unauthenticated remote vectors used in the January 2013 exploitation.

detect

Explicitly monitors for unauthorized information disclosure attempts that match the high-confidentiality-impact behavior described in CVE-2013-0631.

References