CVE-2010-2861
CVE-2010-2861 is a critical-severity vulnerability in Adobe Coldfusion with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-25). The underlying weakness is classified as CWE-22.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 100% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-25)
- EU (EUVD) id: EUVD-2010-2865
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-25)
- Weakness: CWE-22
- Affected product: Adobe Coldfusion
- Published:
- Last modified:
Description
Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.
CVE-2010-2861: Adobe ColdFusion Administrator Console Directory Traversal
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2010-2861 |
| Published | 2010-08-11 |
| CVSS v2 | 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| CVSS v3.1 | 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| EPSS | 0.99721 (99.95th percentile) |
| KEV | Yes — added 2022-03-25 |
| Product | Adobe ColdFusion |
| Assigner | [email protected] |
Summary
Adobe ColdFusion 9.0.1 and earlier versions contain multiple directory traversal vulnerabilities in the administrator console. An unauthenticated remote attacker can exploit these flaws by manipulating the locale parameter across several CFM endpoints to read arbitrary files from the underlying file system, including sensitive configuration files and source code.
Background
Adobe ColdFusion is a commercial rapid web-application development platform. The administrator console (/CFIDE/administrator/) provides a web-based interface for managing server settings, data sources, logging, and J2EE packaging. Prior to the fix, several administrative CFM scripts accepted a locale parameter without proper validation, allowing directory traversal sequences to escape intended paths.
Root Cause — CWE-22
The vulnerability falls under CWE-22: Path Traversal. The affected CFM scripts passed user-supplied locale values directly into file-path construction logic without:
- Input sanitization or whitelist validation
- Canonicalization of pathnames
- Restriction to a predefined set of locale directories
By injecting traversal sequences such as ../../../, an attacker could break out of the intended locale directory and access files anywhere on the server's file system that the ColdFusion process had permissions to read.
Impact
| Metric | Value | Interpretation |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the internet |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | None | No authentication needed |
| User Interaction | None | Fully automated exploitation possible |
| Scope | Unchanged | Impact limited to the vulnerable component |
| Confidentiality | High | Arbitrary file read |
| Integrity | High | Underlying framework may allow further tampering |
| Availability | High | Potential for chained exploitation |
The CVSS v3.1 score of 9.8 (Critical) reflects the trivial exploitability and severe confidentiality impact. The high EPSS score (0.99721) and inclusion in CISA's KEV catalog confirm active, widespread exploitation in the wild.
Exploitation Walkthrough (Defensive Perspective)
Ethics caveat: The following description is provided for defenders to understand attack surface and detection patterns. No weaponized exploit code is included.
- Reconnaissance: The attacker identifies a ColdFusion instance with an exposed
/CFIDE/administrator/path. - Endpoint enumeration: The attacker probes the known vulnerable endpoints:
CFIDE/administrator/settings/mappings.cfmCFIDE/administrator/logging/settings.cfmCFIDE/administrator/datasources/index.cfmCFIDE/administrator/j2eepackaging/editarchive.cfmCFIDE/administrator/enter.cfm
- Parameter injection: The attacker sends an HTTP GET or POST request with a malicious
localeparameter containing directory traversal sequences (e.g.,locale=../../../followed by a target file path). - File disclosure: If the server responds with the contents of the requested file (e.g.,
neo-datasource.xml,password.properties, or OS files such as/etc/passwd), the target is confirmed vulnerable.
Defenders should monitor for unusual locale parameter values containing ../, %2e%2e%2f, or absolute path strings in requests to the CFIDE administrator paths.
Affected and Patched Versions
| Status | Versions |
|---|---|
| Affected | Adobe ColdFusion 9.0.1 and earlier |
| Patched | See Adobe security bulletin APSB10-18 for specific hotfix versions |
The exact patched version details were not available in the source data; administrators should consult the official Adobe bulletin to confirm their installed version is no longer vulnerable.
Remediation
- Apply the vendor patch: Install the hotfix referenced in Adobe Security Bulletin APSB10-18.
- Restrict access: Block or restrict access to
/CFIDE/administrator/at the network level (firewall, IP whitelist, or reverse-proxy rules). The administrator console should never be exposed to untrusted networks. - Input validation: If custom locale-handling code exists, enforce strict whitelist validation against a known set of locale identifiers and reject any path traversal patterns.
- File system permissions: Ensure the ColdFusion service account runs with least-privilege permissions, limiting the scope of files that could be disclosed even if traversal occurs.
Detection
- WAF signatures: Deploy rules that inspect the
localeparameter on CFIDE administrator endpoints for../, encoded traversal sequences, or absolute paths. - Log analysis: Monitor web server and application logs for requests to the five known vulnerable endpoints with anomalous
localevalues. - File integrity monitoring: Alert on unexpected access to sensitive ColdFusion configuration files (
neo-*.xml,password.properties,jrun.xml). - Honeypot/honeyfile: Place a canary file in a predictable location and monitor for access patterns matching traversal attempts.
Assessment
Despite being disclosed in 2010, CVE-2010-2861 remains a high-priority risk due to its inclusion in CISA's Known Exploited Vulnerabilities catalog and an EPSS score approaching unity. The trivial network-accessible, unauthenticated attack vector makes it a reliable target for opportunistic and targeted threat actors alike.
Key lessons:
- Administrative interfaces are high-value targets. Exposing
/CFIDE/administrator/to the public internet continues to be a common misconfiguration that amplifies the impact of bugs like this. - Old vulnerabilities do not age out. A 2010 flaw actively exploited since 2022 demonstrates that attackers regularly scan for and exploit legacy software. Patch latency and exposure management matter more than disclosure date.
References
- http://securityreason.com/securityalert/8137
- http://securityreason.com/securityalert/8148
- http://www.adobe.com/support/security/bulletins/apsb10-18.html
- http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
- http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-2861
Frequently asked questions
- What is CVE-2010-2861?
- Multiple directory traversal vulnerabilities in the administrator console in Adobe ColdFusion 9.0.1 and earlier allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.
- How severe is CVE-2010-2861?
- CVE-2010-2861 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2010-2861 being actively exploited?
- Yes. CVE-2010-2861 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2010-2861?
- CVE-2010-2861 affects Adobe Coldfusion. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2010-2861?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2010-2861 have an EU (EUVD) identifier?
- Yes. CVE-2010-2861 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2010-2865. It is also flagged as exploited in the EUVD (since 2022-03-25).
- When was CVE-2010-2861 published?
- CVE-2010-2861 was published on 2010-08-11 and last updated on 2026-06-16.
References
- http://securityreason.com/securityalert/8137
- http://securityreason.com/securityalert/8148
- http://www.adobe.com/support/security/bulletins/apsb10-18.html
- http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
- http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-2861
Affected products (1)
- cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
More vulnerabilities in Adobe Coldfusion
- CVE-2026-48283 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48276 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type…
- CVE-2025-54261 — Critical (CVSS 10.0): ColdFusion versions 2025.3, 2023.15, 2021.21 and earlier are affected by an Improper Limitation of a Pathname to a…
All CVEs affecting Adobe Coldfusion →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…