editorially independent. We may make money when you click on links
to our partners.
Learn More
A coordinated exploitation campaign generated more than 2.5 million malicious requests, focusing on Adobe ColdFusion servers while simultaneously probing dozens of other widely used platforms.
The “… deliberate timing during Christmas Day (68% of traffic) suggests intentional targeting during reduced security monitoring periods,” said GreyNoise Labs researchers.
Attackers Scan Hundreds of Vulnerabilities
The campaign highlights how attackers deliberately exploit predictable operational gaps, such as reduced staffing and monitoring during major holidays.
While ColdFusion was only one component of a much broader operation, it remains a frequent target due to its presence in legacy enterprise environments.
GreyNoise telemetry shows the campaign targeted Adobe ColdFusion and at least 47 other platforms, scanning for exploitable conditions across 767 CVEs affecting web, Java, CMS, and enterprise systems.
Attack Timing and Geographic Scope
The ColdFusion-specific phase of the operation focused on more than 10 critical vulnerabilities disclosed between 2023 and 2024.
Approximately 68% of ColdFusion-related attack traffic occurred on Dec. 25, 2025 alone, suggesting intentional timing to coincide with reduced defensive coverage.
In total, analysts observed 5,940 ColdFusion-focused requests across 20 countries.
The vast majority of malicious traffic originated from two IP addresses — 134[.]122[.]136[.]119 and 134[.]122[.]136[.]96 — both hosted by CTG Server Limited.
Inside the ColdFusion Exploitation Chain
The ColdFusion attacks leveraged WDDX deserialization flaws to trigger JNDI and LDAP injection, targeting the com.sun.rowset.JdbcRowSetImpl gadget chain.
This exploitation technique has been used repeatedly in Java ecosystems due to its reliability and low barrier to execution when systems remain unpatched.
To validate exploit success, the threat actor relied heavily on ProjectDiscovery’s Interactsh, an out-of-band application security testing platform.
Nearly 10,000 unique OAST domains were deployed across services such as oast[.]pro, oast[.]site, and oast[.]me, allowing the attacker to confirm vulnerable systems through callback interactions without deploying full payloads.
Network fingerprinting further revealed 4,118 unique JA4H HTTP signatures, indicating the use of template-driven scanning frameworks such as Nuclei.
Researchers suggested that the diversity of fingerprints indicates iterative testing and fine-tuning, consistent with reconnaissance conducted at scale rather than a single exploit attempt.
While no post-exploitation was confirmed, the techniques align with initial access broker activity used to identify and monetize access for downstream attacks.
How Organizations Can Reduce Exposure
With attackers leveraging large-scale, automated scanning to identify vulnerable systems, organizations should take proactive steps to reduce exposure and improve detection.
- Block the identified malicious IP addresses and associated autonomous systems to disrupt known attack traffic.
- Prioritize patching for Adobe ColdFusion and other exposed Java-based applications, especially systems accessible from the internet.
- Reduce internet exposure of ColdFusion servers by enforcing strict access controls and network segmentation.
- Deploy WAF rules, rate limiting, and detection signatures for JA4 and JA4H fingerprints to identify and block automated scanning activity.
- Restrict outbound network connections from application servers to prevent callback-based exploitation and command-and-control activity.
- Review historical and ongoing logs to identify indicators of scanning, exploitation attempts, or abnormal request patterns.
Together, these actions help reduce exposure, disrupt reconnaissance, and limit the potential impact of exploitation attempts.
The Shift Toward Reconnaissance-First Attacks
This campaign illustrates a broader shift toward high-volume, automated reconnaissance that prioritizes identifying exploitable systems at scale rather than immediate exploitation.
By combining long-standing legacy vulnerabilities, modern scanning frameworks, and carefully chosen timing — such as holiday periods — attackers can systematically map enterprise environments and validate access opportunities long before any follow-on attacks are launched.
These reconnaissance-driven campaigns highlight why timely, consistent patch management is critical to reducing the number of systems attackers can identify and target at scale.
