External risk intelligence

Mura CMS API Remote Code Execution Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-12257

The vulnerability resides in a CMS application endpoint designed for API interaction. Content Management Systems and their associated API endpoints are commonly deployed as internet-facing web applications to facilitate content delivery and management, making them reachable from the public internet in typical deployments.

Code Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability found in Mura CMS. The issue allows remote attackers to execute arbitrary code by manipulating a specific API endpoint. This could lead to a complete compromise of affected systems.

  • Unchecked data allows code execution.
  • It's critical for public-facing systems.
  • Confirm relevance and potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted POST request to a specific API endpoint within Mura CMS. This request would leverage a weakness in how the system handles the "method" parameter, allowing the attacker to inject malicious code. If successful, this could lead to arbitrary code execution on the server, enabling an attacker to compromise the entire system.

  • No authentication or special access required.
  • Triggered via a crafted POST request to an API endpoint.
  • Leads to remote code execution and system compromise.

Live Threat

Current exploitation, exposure, and threat context

The vulnerability in Mura CMS could allow an unauthenticated remote attacker to execute arbitrary code by exploiting an improperly validated method parameter in the JSON API endpoint. This could lead to a full system compromise.

  • Arbitrary code execution on the server.
  • Via unauthenticated API request to `/index.cfm/_api/json/v1/default`.
  • Complete system compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical remote code execution vulnerability in Mura CMS affects the API endpoint. Responsibility for addressing this likely falls to the platform or application owner team responsible for the CMS, in coordination with infrastructure and security teams to assess and manage risk. The first practical step involves identifying all instances of the affected Mura CMS, confirming their exposure and business criticality, and then planning remediation based on the identified risk profile.

  • Platform or application owners should manage.
  • Verify system reachability and criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Mura CMS?

Mura CMS is a content management system built on the Adobe ColdFusion platform. Organizations use it to manage, publish, and serve web content. It functions by processing requests through the ColdFusion engine, which interprets the underlying CFML code to generate the dynamic pages and API responses users interact with.

What does CVE-2026-12257 mean?

This CVE describes a flaw classified as CWE-94: Improper Control of Generation of Code. In plain terms, the software fails to properly check input before processing it. Because of this, the system can be tricked into interpreting data provided by an attacker as legitimate programming instructions, leading to the unauthorized execution of arbitrary code.

How is this Mura CMS vulnerability triggered?

An attacker triggers this by sending a specially crafted POST request to the specific API endpoint located at /index.cfm/_api/json/v1/default. The issue arises when the "method" parameter is processed without proper sanitization. Requests that do not target this specific endpoint or that do not involve the malformed "method" parameter do not trigger this code execution path.

Do I need to worry about this CVE if my server is internal?

Halo Surface Signal indicates that because this vulnerability exists within an API endpoint, it is most commonly found on internet-facing web applications. While internet-exposed systems are at the highest risk, internal systems should still be evaluated. If an internal server is reachable from an untrusted segment of your network, it could still be targeted, making it a priority for assessment.

What should I do first to address this threat?

Start by performing an inventory to locate all instances of Mura CMS within your environment. Once you have identified these systems, verify which ones are running versions prior to 10.0.712. After identifying affected assets, coordinate with your infrastructure team to prioritize these servers for updates based on their business criticality and network reachability.

References