Monday, January 5, 2026
RCE via ColdFusion ARchive (CAR) Deployment: One Example of an Authenticated Attack Path in CFAdmin (CVE-2025-61808)
›
Introduction In this post we'll be looking at one way that an authenticated user with only ColdFusion Administration (CFAdmin) access...
Monday, December 22, 2025
Digging Through Six Old Sandbox Escapes in ColdFusion (ca. 2001 through 2012)
›
Time for some vulnerability archaeology! I'm sure you're as excited as I am. In a previous post I covered a technique to generate...
Wednesday, November 12, 2025
Speaking at DistrictCon in January 2026 on Language-Level Vulnerabilities in Adobe ColdFusion
›
I'm thrilled to be speaking at DistrictCon in late January 2026. My talk will cover some recent language-level vulnerabilities in Co...
2 comments:
Wednesday, June 25, 2025
Sandbox Security Escapes in ColdFusion and Lucee (CVE-2025-30288 and CVE-2024-55354)
›
Introduction In this post I'm going to cover the technical details of a security sandbox escape technique that affects Adobe ColdFusion ...
2 comments:
Tuesday, June 24, 2025
CFCamp 2025 Slides - Understanding CFML Vulnerabilities, Exploits, and Attack Paths
›
In May I had the pleasure of attending my first CFCamp , where I spoke about CFML security. The slides from my talk -- Understanding CFML ...
Monday, January 13, 2025
An SSRF to LFI Payload for PDF Generators (CVE-2024-34112 and beyond)
›
"Hola, amigos. How’s it hangin’? I know it’s been a long time since I last rapped at ya, but I've been busier than a feather plucke...
Monday, December 23, 2024
An Initial Analysis of Adobe ColdFusion CVE-2024-53961
›
A ColdFusion security patch released two days before Christmas? I have a feeling that may have resulted in many sysadmins shouting "Fi...
3 comments:
Thursday, August 8, 2024
BSidesLV 2024 Slides - Modern ColdFusion Exploitation and Attack Surface Reduction
›
Thank you to BSidesLV for the opportunity to speak this year. The slides from my talk, Modern ColdFusion Exploitation and Attack Surface ...
›
Home
View web version
