A coordinated exploitation campaign that generated more than 2.5 million malicious requests against Adobe ColdFusion<\/a> servers and 47+ other technology platforms during the Christmas 2025 holiday period.<\/p>\n The operation was attributed to a single threat actor operating from Japan-based infrastructure. This indicates an advanced scanning effort by attackers seeking both legacy and new vulnerabilities dating back 20 years.<\/p>\n The focused ColdFusion phase of the campaign exploited 10+ critical CVEs from 2023\u20132024, with peak activity on Christmas Day accounting for 68% of attack traffic.<\/p>\n The deliberate timing during holiday downtime, when security teams typically operate at reduced capacity, suggests intentional targeting of monitoring gaps.<\/p>\n Approximately 5,940 requests targeted ColdFusion servers across 20 countries, with the United States accounting for 68% of sessions.<\/p>\n Two primary IP addresses (134.122.136.119 and 134.122.136.96) hosted by CTG Server Limited generated the vast majority of attack traffic.<\/p>\n The threat actor leveraged ProjectDiscovery Interactsh, an out-of-band<\/a> testing platform, for callback verification, deploying nearly 10,000 unique OAST domains across oast.pro, oast. Site, and oast.me services.<\/p>\n The primary attack vector exploited WDDX deserialization to trigger JNDI\/LDAP injection, targeting the com.sun.rowset.JdbcRowSetImpl gadget chain. Notably, the ColdFusion activity represents only 0.2% of the broader operation.<\/p>\n Complete campaign analysis reveals systematic reconnaissance across 767 distinct CVEs affecting Java application servers, web frameworks, CMS platforms, and enterprise applications.<\/p>\n The most frequently targeted vulnerabilities were CVE-2022-26134<\/a> (Confluence OGNL injection) with 12,481 requests and CVE-2014-6271<\/a> (Shellshock) with 8,527 requests.<\/p>\n Network fingerprinting analysis identified 4,118 unique JA4H HTTP signatures, indicating that template-based scanning was likely performed using Nuclei or similar frameworks.<\/p>\n The attacker\u2019s infrastructure exhibited concerning associations: CTG Server Limited previously hosted\u00a0phishing<\/a>\u00a0infrastructure targeting luxury brands, including Chanel and Cartier, and announced Bogon routes,<\/span> suggesting inadequate network hygiene.<\/p>\n According to GreyNoise Labs,<\/a> organizations should immediately block the identified IP addresses and ASNs, implement signatures for the published JA4+ fingerprints, and prioritize patching ColdFusion and Java-based infrastructure.<\/p>\n The campaign\u2019s scale and sophistication indicate advanced reconnaissance capabilities typical of initial access brokers preparing for downstream attacks.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post 2.5 Million+ Malicious Request From Hackers Attacking Adobe ColdFusion Servers<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj_c2rA3m488oZtrswJGKV6hBrXBn75R7xRjaliyqz99oaNFGCEveu6abaLv9mNNKC3wz6eQbfF1Gp9-hKnhZS-T-dcwsLUPyRCa5Rum_0CSZWxEZye3EhFCk9mo_gKvORXgesKh8z1spkL1nMMB46tt8hMVAOH0msp5-dECMSiYd35xWQmEw93h0nPR6ei\/w640-h554\/Heatmap.webp?ssl=1\")