A menace actor has been focusing on roughly a dozen vulnerabilities in Adobe ColdFusion as a part of an enormous preliminary entry marketing campaign, GreyNoise warns.
Throughout the Christmas 2025 vacation, the menace intelligence agency noticed hundreds of requests focusing on ColdFusion servers globally, apparently a part of a single, coordinated intrusion effort.
The requests primarily originated from Japan-based infrastructure (related to CTG Server Restricted), with two IP addresses accounting for a lot of the noticed site visitors.
GreyNoise noticed roughly 6,000 requests focusing on ColdFusion vulnerabilities that have been publicly disclosed in 2023 and 2024, with the exercise peaking on December 25.
“The marketing campaign leveraged ProjectDiscovery Interactsh for out-of-band callback verification, with JNDI/LDAP injection as the first assault vector. The deliberate timing throughout Christmas Day (68% of site visitors) suggests intentional focusing on throughout diminished safety monitoring intervals,” GreyNoise notes.
Many of the requests focused servers within the US (4,044), Spain (753), India (128), and Canada, Chile, Germany, and Pakistan (100 every).
The 2 main IP addresses concerned within the Adobe ColdFusion exploitation have been seen working concurrently 41% of the time, sending requests at intervals of 1-5 seconds, to cycle via 11 distinct assault varieties per goal.
GreyNoise’s investigation revealed that the ColdFusion assaults characterize solely a small fraction of the malicious exercise related to the 2 IP addresses.Commercial. Scroll to proceed studying.
Utilized in an enormous exploitation marketing campaign, seemingly operated by an preliminary entry dealer, the IPs have generated over 2.5 million requests focusing on greater than 700 safety defects in dozens of safety stacks, the menace intelligence agency says.
GreyNoise additionally notes that the ISP internet hosting the infrastructure was beforehand concerned in malicious operations resembling phishing and spam.
Working AS152194, the internet hosting supplier is registered in Hong Kong, controls over 200,000 IPv4 addresses, and sure operates with restricted abuse enforcement, GreyNoise notes.
Associated: Shai-Hulud Provide Chain Assault Led to $8.5 Million Belief Pockets Heist
Associated: Fortinet Warns of New Assaults Exploiting Previous Vulnerability
Associated: Recent MongoDB Vulnerability Exploited in Assaults
Associated: Rising Tides: When Cybersecurity Turns into Private – Contained in the Work of an OSINT Investigator
