CVE-2010-2861

CVE-2010-2861 is a critical-severity vulnerability in Adobe Coldfusion with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-25). The underlying weakness is classified as CWE-22.

Key facts

Description

Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.

CVE-2010-2861: Adobe ColdFusion Administrator Console Directory Traversal

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2010-2861
Published 2010-08-11
CVSS v2 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS v3.1 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
EPSS 0.99721 (99.95th percentile)
KEV Yes — added 2022-03-25
Product Adobe ColdFusion
Assigner [email protected]

Summary

Adobe ColdFusion 9.0.1 and earlier versions contain multiple directory traversal vulnerabilities in the administrator console. An unauthenticated remote attacker can exploit these flaws by manipulating the locale parameter across several CFM endpoints to read arbitrary files from the underlying file system, including sensitive configuration files and source code.

Background

Adobe ColdFusion is a commercial rapid web-application development platform. The administrator console (/CFIDE/administrator/) provides a web-based interface for managing server settings, data sources, logging, and J2EE packaging. Prior to the fix, several administrative CFM scripts accepted a locale parameter without proper validation, allowing directory traversal sequences to escape intended paths.

Root Cause — CWE-22

The vulnerability falls under CWE-22: Path Traversal. The affected CFM scripts passed user-supplied locale values directly into file-path construction logic without:

  • Input sanitization or whitelist validation
  • Canonicalization of pathnames
  • Restriction to a predefined set of locale directories

By injecting traversal sequences such as ../../../, an attacker could break out of the intended locale directory and access files anywhere on the server's file system that the ColdFusion process had permissions to read.

Impact

Metric Value Interpretation
Attack Vector Network Exploitable remotely over the internet
Attack Complexity Low No special conditions required
Privileges Required None No authentication needed
User Interaction None Fully automated exploitation possible
Scope Unchanged Impact limited to the vulnerable component
Confidentiality High Arbitrary file read
Integrity High Underlying framework may allow further tampering
Availability High Potential for chained exploitation

The CVSS v3.1 score of 9.8 (Critical) reflects the trivial exploitability and severe confidentiality impact. The high EPSS score (0.99721) and inclusion in CISA's KEV catalog confirm active, widespread exploitation in the wild.

Exploitation Walkthrough (Defensive Perspective)

Ethics caveat: The following description is provided for defenders to understand attack surface and detection patterns. No weaponized exploit code is included.

  1. Reconnaissance: The attacker identifies a ColdFusion instance with an exposed /CFIDE/administrator/ path.
  2. Endpoint enumeration: The attacker probes the known vulnerable endpoints:
    • CFIDE/administrator/settings/mappings.cfm
    • CFIDE/administrator/logging/settings.cfm
    • CFIDE/administrator/datasources/index.cfm
    • CFIDE/administrator/j2eepackaging/editarchive.cfm
    • CFIDE/administrator/enter.cfm
  3. Parameter injection: The attacker sends an HTTP GET or POST request with a malicious locale parameter containing directory traversal sequences (e.g., locale=../../../ followed by a target file path).
  4. File disclosure: If the server responds with the contents of the requested file (e.g., neo-datasource.xml, password.properties, or OS files such as /etc/passwd), the target is confirmed vulnerable.

Defenders should monitor for unusual locale parameter values containing ../, %2e%2e%2f, or absolute path strings in requests to the CFIDE administrator paths.

Affected and Patched Versions

Status Versions
Affected Adobe ColdFusion 9.0.1 and earlier
Patched See Adobe security bulletin APSB10-18 for specific hotfix versions

The exact patched version details were not available in the source data; administrators should consult the official Adobe bulletin to confirm their installed version is no longer vulnerable.

Remediation

  1. Apply the vendor patch: Install the hotfix referenced in Adobe Security Bulletin APSB10-18.
  2. Restrict access: Block or restrict access to /CFIDE/administrator/ at the network level (firewall, IP whitelist, or reverse-proxy rules). The administrator console should never be exposed to untrusted networks.
  3. Input validation: If custom locale-handling code exists, enforce strict whitelist validation against a known set of locale identifiers and reject any path traversal patterns.
  4. File system permissions: Ensure the ColdFusion service account runs with least-privilege permissions, limiting the scope of files that could be disclosed even if traversal occurs.

Detection

  • WAF signatures: Deploy rules that inspect the locale parameter on CFIDE administrator endpoints for ../, encoded traversal sequences, or absolute paths.
  • Log analysis: Monitor web server and application logs for requests to the five known vulnerable endpoints with anomalous locale values.
  • File integrity monitoring: Alert on unexpected access to sensitive ColdFusion configuration files (neo-*.xml, password.properties, jrun.xml).
  • Honeypot/honeyfile: Place a canary file in a predictable location and monitor for access patterns matching traversal attempts.

Assessment

Despite being disclosed in 2010, CVE-2010-2861 remains a high-priority risk due to its inclusion in CISA's Known Exploited Vulnerabilities catalog and an EPSS score approaching unity. The trivial network-accessible, unauthenticated attack vector makes it a reliable target for opportunistic and targeted threat actors alike.

Key lessons:

  1. Administrative interfaces are high-value targets. Exposing /CFIDE/administrator/ to the public internet continues to be a common misconfiguration that amplifies the impact of bugs like this.
  2. Old vulnerabilities do not age out. A 2010 flaw actively exploited since 2022 demonstrates that attackers regularly scan for and exploit legacy software. Patch latency and exposure management matter more than disclosure date.

References

Frequently asked questions

What is CVE-2010-2861?
Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.
How severe is CVE-2010-2861?
CVE-2010-2861 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2010-2861 being actively exploited?
Yes. CVE-2010-2861 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2010-2861?
CVE-2010-2861 affects Adobe Coldfusion. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2010-2861?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2010-2861 have an EU (EUVD) identifier?
Yes. CVE-2010-2861 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2010-2865. It is also flagged as exploited in the EUVD (since 2022-03-25).
When was CVE-2010-2861 published?
CVE-2010-2861 was published on 2010-08-11 and last updated on 2026-06-16.

References

Affected products (1)

More vulnerabilities in Adobe Coldfusion

All CVEs affecting Adobe Coldfusion →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →