Cyber Resilience

CVE-2013-0632

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 17 January 2013

Published
17 January 2013
Modified
21 April 2026
KEV Added
03 March 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9268 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-0632 is a critical-severity Incorrect Default Permissions (CWE-276) vulnerability in Adobe Coldfusion. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

The vulnerability CVE-2013-0632 resides in administrator.cfc within Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10. It is caused by an empty default password on the RDS component that allows unauthenticated remote access to the administrative web interface, corresponding to CWE-276 for incorrect default permissions.

Remote attackers can exploit the flaw over the network by logging into RDS with the blank password and then pivoting through that session to reach administrative functions, resulting in authentication bypass and the potential for arbitrary code execution. The CVSS 3.1 score of 9.8 reflects the absence of required credentials or user interaction.

Adobe security advisories APSA13-01 and APSB13-03, along with bulletin APSB13-03, address the issue and direct administrators to apply the available patches or implement the recommended configuration changes. The vulnerability was observed being exploited in the wild in January 2013.

EU & UK References

Vulnerability details

administrator.cfc in Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10 allows remote attackers to bypass authentication and possibly execute arbitrary code by logging in to the RDS component using the default empty password and leveraging this session to access the administrative…

more

web interface, as exploited in the wild in January 2013.

CWE(s)
KEV Date Added
03 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

adobe
coldfusion
10.0, 9.0, 9.0.1, 9.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires changing or disabling default authenticators such as the empty RDS password that enables the authentication bypass.

prevent

Enforces authentication and access-control decisions before allowing any session to the administrative interface via administrator.cfc.

prevent

Mandates applying secure configuration settings or patches that eliminate the insecure default RDS password and exposed administrative functions.

References