Introduction
The CFAdmin web interface introduces a large attack surface to ColdFusion environments. That shouldn’t be a surprise since it adds a substantial default codebase intended to provide hooks into sensitive functionality. When performing a threat model it could be perfectly reasonable to equate a CFAdmin compromise with a full system compromise. In many organizations, the users with CFAdmin access may also be platform system administrators – with full, direct access to the underlying operating system. If that's the case, a malicious CFAdmin user is equivalent to a malicious system administrator, and you’re cooked either way.
But with that said, Adobe has extended considerable effort to protect and secure CFAdmin. From monthly security patches, to webserver connectors and connector updates, to fixing other authenticated CFAdmin exploit paths – CFAdmin has become more secure over time. And in some environments, CFAdmin access versus full platform access are distinct access roles, prompting organizations to care about all authenticated CFAdmin exploitation vectors.
Driving Toward Danger
Let’s shift gears and look at one example of how we can achieve remote code execution from within CFAdmin, by abusing the ColdFusion Archive (CAR) deployment functionality.
ColdFusion Archives are a ZIP-like file format used to package and deploy ColdFusion configurations, files, and applications. They can provide a convenient way to move applications from one server to another (or to many). CFAdmin provides a way to create and deploy CAR files, in the Packaging & Deployment section. We can use this interface to create a CAR file that we can then deploy elsewhere, but let's first take a quick look at the file format.
In the following example, we've already created a very simple CAR file named webshell.car, and have added one file – a simple CFML webshell copied from /tmp/webshell/webshell.cfm. In an attack scenario, this file would be created by the attacker, independent of the target server environment. We can view the contents of a sample CAR file to better understand the file structure:
% unzip -l webshell.car
Length Date Time Name
--------- ---------- ----- ----
265 04-25-2025 05:53 {/tmp/webshell/}/webshell.cfm
1466 04-25-2025 05:53 {WorkingDir}/server_settings.xml
2006 04-25-2025 05:53 {WorkingDir}/archive_properties.xml
--------- -------
Two XML configuration files, archive_properties.xml and server_settings.xml, are automatically added to the CAR in addition to whatever files we choose to bundle. And if we unzip this CAR file, we will observe the following file and directory structures:
./{WorkingDir}
./{WorkingDir}/archive_properties.xml
./{WorkingDir}/server_settings.xml
./{/tmp
./{/tmp/webshell
./{/tmp/webshell/}
./{/tmp/webshell/}/webshell.cfm
The Road to Exploitation
The process to deploy a CAR file involves specifying the path for the CAR, clicking the Deploy button, and following the prompts in CFAdmin. Under typical circumstances, an administrator will have their CAR file to deploy stored somewhere on the server filesystem. This presents a conundrum for our CFAdmin-only attacker. If he could write files to the server somehow, he’d just do that directly without all of this CFAdmin and CAR jibber-jabber.
What we need is a way to get our CAR file from a source that the attacker can control. Enter – remote guest SMB shares.
Figure 1. UNC / UNC / Unc (eh, eh?)
Unauthenticated SMB shares are risky in both directions. Obviously – no authentication on your network shares means that anyone can read (and possibly modify) files. But if your host (or your application) will automatically read from unauthenticated SMB shares via a UNC path, this provides an easy way to source files from a potentially untrusted and malicious location.
Microsoft disabled guest (anonymous) access to SMB shares by default in Windows Server 2019 - for reasons outlined in this article. But guest SMB access is enabled by default in Windows Server 2016, which is a supported platform for ColdFusion 2025 (and earlier). And this gives an attacker the ability to deploy a CAR to the server without access to the local server filesystem.
In CFAdmin, we can specify an attacker-controlled UNC path as the source of our CAR, in this case \\attacker-server\share\webshell.car , where this location has been set up as an attacker-controlled SMB share that doesn't require read authentication:
The Deployment process shows the directories added in the CAR file (/tmp/webshell/ in this case) :
And we can specify alternate directory path(s) on the local server where the files in the CAR should be deployed. In this case, we're choosing to deploy the files to our webroot, C:\Inetpub\wwwroot\ :
Now that the attacker's CFML webshell has been deployed to the webroot of the server, we can make a web request to execute it:
Buckling Up: Patch Released and Some Additional Thoughts On Reducing Exposure
This vulnerability was assigned CVE-2025-61808 and patched in APSB25-105. The allowed sources for CAR files and associated files that will be deployed from a CAR file are now controlled in ColdFusion's pathfilter.json configuration file. Refer to the appropriate tech note for your ColdFusion version for additional details.
What else can an organization do to limit the risk here? Strict network egress filtering rules can be used to prevent communication with external SMB shares. And migrating to Windows Server 2019 or later, or disabling guest access for remote SMB shares, should prevent exploitation as well. Beyond that, the best advice may be to fanatically protect access to CFAdmin. Enforce strict access control. Treat access control bypasses – even to just the CFAdmin login page – as high-impact defects that need to be remediated immediately. Assume that unknown, unpatched vulnerabilities exist in CFAdmin. If an attacker can’t access CFAdmin, he can’t exploit CFAdmin.
Timeline
2025-04-25 - Reported the vulnerability to Adobe PSIRT
2025-12-09 - Adobe Security Bulletin APSB25-105 released
2026-01-05 - Blog post published
No comments:
Post a Comment