Threat Watch

Ten-Year-Old Vulnerabilities Being Exploited To This Day

Sophos revealed that two ColdFusion vulnerabilities have been targeted by threat actors recently. These vulnerabilities were patched by Adobe more than ten years ago. The threat group and the services company they targeted are still unnamed, but the threat actors are believed to have used Cring ransomware. The two vulnerabilities that were exploited were CVE-2010-2861 and CVE-2009-3960. Exploiting these vulnerabilities allowed the attackers to gain access to a password file and upload a web shell file to that server, which was then used to add a Cobalt Strike Beacon payload. More than three days later the Cring ransomware was deployed with a note that stated the victim must pay the ransom to have access to the decryptor. The victim’s server was running on ColdFusion 9 and Windows 2008, which both reached EOL in 2016 and 2020. Sophos principal researcher stated, “Cring ransomware isn’t new, but it’s uncommon. In the incident we researched, the target was a services company, and all it took to break in was one internet-facing machine running old, out-of-date, and unpatched software. The surprising thing is that this server was in active daily use. Often the most vulnerable devices are inactive or ghost machines, either forgotten about or overlooked when it comes to patching and upgrades.”


The most common-sense recommendation is to advise companies and individuals to update regularly and download patches as they become available. Using unpatched programs and running them after their end-of-life can become extremely risky and open the door for attackers to take advantage of the outdated systems.