Shortly after New Year’s, the CrowdSec Network detected an exploitation campaign targeting CVE-2024-20767. It is an Arbitrary File Read exploit in Adobe ColdFusion. CVE-2024-20767 allows attackers to read and modify arbitrary files within ColdFusion. Typically, CrowdSec detects around 15 distinct IP addresses probing for this vulnerability every day.
On January 4, 2026, we observed a spike of over 100 machines probing a vast slice of the web. Such campaigns against old vulnerabilities often predate the discovery of a new exploit against the targeted software. We expect this to be the case.
Key findings
- Exploitation of CVE-2024-20767 surged on January 4th, 2026, with a peak of over 100 distinct machines probing for the vulnerability. Activity has since declined again to normal levels.
- The vulnerability was published to NVD on March 18, 2024. It was added to CISA KEV in December that year, and CrowdSec started seeing exploits targeting this vulnerability around the same time. In March of 2025, CrowdSec additionally released a detection rule for the CrowdSec WAF due to consistent exploitation activity.
- The resurgence of old patched vulnerabilities usually coincides with the release of vulnerabilities targeting the same system.
What is Adobe ColdFusion?
Adobe ColdFusion is a commercial web application development platform used by enterprises worldwide. It is used to build and deploy scalable web and mobile applications. It provides a tag-based and scriptable language that makes common web tasks straightforward and helps non-technical users play around with concept products. Adobe ColdFusion runs on the JVM (Java Virtual Machine) and fits naturally into Java-based infrastructure. As a consequence of this, it is often found in business and enterprise infrastructure.
About CVE-2024-20767
The vulnerability, tracked as CVE-2024-20767, is an Improper Access Control issue. Researchers discovered that specific unauthenticated HTTP requests to the Performance Monitoring Toolset (PMS) component could be manipulated to read arbitrary files from the underlying file system.
As the vulnerability allows attackers to bypass security measures and read sensitive files from the server without logging in, attackers could find configuration files containing database passwords, proprietary source code, or system files that can be used to launch further attacks or gain full control of the server. Unlike many complex exploits, this attack does not require user interaction or prior authentication. If the ColdFusion server (specifically the PMS port/endpoint) is exposed to the internet, it is vulnerable.
The vulnerability affects both ColdFusion 2021 and ColdFusion 2023, and patches are available for each release. Further information can be found in Adobe’s Security Bulletin (linked below).
Trend analysis
Throughout the past 3 months, signals received by the CrowdSec Network targeting this vulnerability mostly originated from security scanners, consisting of what we refer to as “internet background noise”.
On the 4th of January, we observed unusual attack volumes coming from a different set of attackers. The attack peaked at around 100 distinct machines. Most of these attackers originated from DigitalOcean droplets, an ephemeral type of server infrastructure provided by DigitalOcean. The attackers were quickly shut down, most likely due to automated takedowns by the hosting provider. By the end of the day, the vulnerability was back to its usual level of noise, with benign security scanners making up the bulk of attacks.
How to protect your systems
To secure your infrastructure against this threat:
- Patch Immediately: Apply the security updates provided by Adobe (Update 13 for ColdFusion 2021, Update 7 for ColdFusion 2023).
- Network Segmentation: Ensure that the ColdFusion Administrator interface and internal components like the Performance Monitoring Toolset are not exposed to the public internet. Use a VPN or IP allowlisting for administrative access.
- CrowdSec Protection: The CrowdSec Network detects and blocks IPs engaging in this exploitation behavior. Ensure your CrowdSec agents are active and subscribed to the community blocklist.