Massive holiday exploitation campaign targets adobe ColdFusion, other systems

GreyNoise security researchers report that a hacker group launched a massive scanning and exploitation campaign during the 2025 Christmas holiday. The attacker used Japan-based infrastructure to target Adobe ColdFusion servers and dozens of other technology stacks. 

This operation appears to be looking for weak points while security teams are reduced or completely off during the holidays. 

The attacker sent over 2.5 million requests using automated tools. They used out-of-band (OAST) callbacks via the Interactsh platform to verify successful breaks. 

The primary method involved JNDI/LDAP injection and WDDX deserialization. Most traffic came from two specific IP addresses linked to CTG Server Limited, a provider with a history of hosting phishing and malicious activity.

Primary attack IP addresses

• 134.122.136.119
• 134.122.136.96

Attaclers cycled through 11 distinct attack types per target.

Additional IPs used

• 23.234.85.20
• 38.225.206.87
• 38.225.206.88
• 172.81.132.99
• 172.68.119.26
• 162.159.110.4

The campaign targeted the following vulnerabilities among many others:

• CVE-2023-26359 (CVSS 9.8): Deserialization RCE in ColdFusion.
• CVE-2023-38205 (CVSS 7.5): Access control bypass in ColdFusion.
• CVE-2024-20767 (CVSS 8.2): Arbitrary file read in ColdFusion.
• CVE-2022-26134 (CVSS 9.8): Confluence OGNL injection.
• CVE-2014-6271 (CVSS 10.0): Shellshock.

Attackers tried to steal sensitive system files through local file inclusion (LFI). The targeted data included:

• System password files (/etc/passwd)
• Application configuration files (password.properties)
• Server credentials and metadata

Organizations should block the identified IPs and update their software immediately. Monitoring for Interactsh callback domains can help find compromised systems.