Here's your Monday report on immediate and emerging threats. Powered by the power of the crowd.
Here's a snippet of your Monday report on immediate and emerging threats. Powered by the CrowdSec Network.
Shortly after New Year's, the CrowdSec Network detected an exploitation campaign targeting CVE-2024-20767, an Arbitrary File Read exploit in Adobe ColdFusion. CVE-2024-20767 allows attackers to read and modify arbitrary files within ColdFusion. Typically, CrowdSec detects around 15 distinct IP addresses probing for this vulnerability every day.
On January 4, 2026, we observed a spike of over 100 machines probing a vast slice of the web. Such campaigns against old vulnerabilities often predate the discovery of a new exploit against the targeted software, and we expect this to be the case.
Key findings
Exploitation of CVE-2024-20767 surged on January 4th, 2026, with a peak of over 100 distinct machines probing for the vulnerability. Activity has since declined again to normal levels.
The vulnerability was published to NVD on March 18, 2024. It was added to CISA KEV in December that year, and CrowdSec started seeing exploits targeting this vulnerability around the same time. In March of 2025, CrowdSec additionally released a detection rule for the CrowdSec WAF due to consistent exploitation activity.
The resurgence of old patched vulnerabilities usually coincides with the release of vulnerabilities targeting the same system.
About CVE-2024-20767
The vulnerability, tracked as CVE-2024-20767, is an Improper Access Control issue. Researchers discovered that specific unauthenticated HTTP requests to the Performance Monitoring Toolset (PMS) component could be manipulated to read arbitrary files from the underlying file system. As the vulnerability allows attackers to bypass security measures and read sensitive files from the server without logging in, attackers could find configuration files containing database passwords, proprietary source code, or system files that can be used to launch further attacks or gain full control of the server. Unlike many complex exploits, this attack does not require user interaction or prior authentication. If the ColdFusion server (specifically the PMS port/endpoint) is exposed to the internet, it is vulnerable.
...
