Threat intelligence firm GreyNoise has identified a large-scale, coordinated intrusion campaign targeting Adobe ColdFusion servers across the globe.

The activity, observed during the Christmas 2025 holiday period, involved thousands of exploit attempts against known ColdFusion vulnerabilities disclosed in 2023 and 2024. The campaign appears highly automated, centrally orchestrated, and deliberately timed to coincide with reduced security monitoring.

GreyNoise assesses the activity as consistent with an initial access broker (IAB) operation, designed to identify and compromise vulnerable systems for later resale or downstream exploitation.

Adobe ColdFusion remains a frequent target for attackers due to its long deployment lifecycle and the prevalence of unpatched instances exposed to the internet.

Initial access brokers specialize in mass exploitation campaigns, scanning for vulnerable systems and establishing footholds that can later be monetized through ransomware affiliates, data theft groups, or botnet operators.

Holiday periods are particularly attractive windows for such campaigns, as staffing levels and response times are often reduced across enterprise environments.

During Christmas Day 2025, GreyNoise observed a sharp surge in malicious requests targeting ColdFusion servers worldwide.

Approximately 6,000 exploit attempts were recorded, with 68% of the activity occurring on December 25 alone. The requests focused on roughly a dozen ColdFusion vulnerabilities publicly disclosed over the past two years.

The majority of traffic originated from infrastructure in Japan associated with CTG Server Limited, with just two IP addresses responsible for most of the observed activity.

Targeted systems were primarily located in the United States, Spain, India, and several other countries across Europe, Asia, and South America.

The campaign leveraged ProjectDiscovery Interactsh for out-of-band callback verification, a technique commonly used to confirm successful exploitation attempts.

The primary attack vector involved JNDI/LDAP injection, allowing attackers to trigger callbacks from vulnerable servers and validate exploitability without immediately deploying payloads.

GreyNoise observed the two main IP addresses operating concurrently 41% of the time, issuing requests every one to five seconds. Each target was systematically tested against 11 distinct attack patterns, indicating a structured and repeatable exploitation framework.

While the ColdFusion activity alone is significant, GreyNoise found it represents only a small portion of the malicious behavior tied to the infrastructure.

In total, the same IP addresses generated over 2.5 million requests probing more than 700 vulnerabilities across dozens of technology stacks. This breadth strongly suggests an industrial-scale scanning and exploitation operation rather than opportunistic attacks.

Successful compromises could provide attackers with persistent access, enabling follow-on ransomware deployment, credential harvesting, or lateral movement within enterprise networks.

This campaign reinforces a critical security lesson: unpatched, internet-facing enterprise software remains a primary attack surface.

The deliberate timing during a major holiday highlights how attackers optimize campaigns around organizational blind spots. It also demonstrates how a small number of IPs, backed by permissive hosting environments, can drive outsized global impact.

For organizations running ColdFusion, delayed patching significantly increases exposure to automated exploitation at scale.

GreyNoise notes that the hosting provider behind the infrastructure operates within AS152194, an autonomous system registered in Hong Kong with access to more than 200,000 IPv4 addresses.

The ISP has previously been linked to phishing and spam operations and is believed to enforce limited abuse controls—conditions that make it attractive for large-scale malicious campaigns.

Security teams are advised to review ColdFusion exposure, apply all relevant patches, and monitor for JNDI-based exploit attempts.