CVE-2026-48282 — Adobe ColdFusion Path Traversal Vulnerability

CVE-2026-48282

Adobe ColdFusion — RDS FILEIO Path Traversal to RCE, Exploited Within Hours of Disclosure

What is Adobe ColdFusion?

Adobe ColdFusion is a commercial rapid-application-development platform and server for building dynamic websites and web applications using the CFML scripting language. It remains widely deployed in government, financial services, and healthcare environments running legacy line-of-business applications. ColdFusion Server historically ships with Remote Development Services (RDS), a feature that lets developers remotely browse, edit, and manage files on the server from tools like Adobe's own development IDE — functionality that, if inadequately restricted, effectively hands a remote party a file-management API into the server's filesystem.

Overview

Adobe ColdFusion contains a maximum-severity path traversal vulnerability in the RDS FILEIO handler, exposed via POST /CFIDE/main/ide.cfm?ACTION=FILEIO. The handler accepts length-prefixed RPC requests — READ, WRITE, RENAME, REMOVE, and CREATE operations against file paths — as an application/octet-stream body, without canonicalizing the supplied paths or enforcing directory boundaries. An attacker can use ../ sequences to escape the intended RDS scope and write a malicious .cfm file into a web-accessible directory, which then executes with the privileges of the ColdFusion service account, yielding remote code execution.

Exploitation in the wild was detected extraordinarily fast: KEVIntel's global honeypot network caught the first exploitation attempt within roughly two hours of Adobe's advisory going live, and the Canadian Centre for Cyber Security independently confirmed active exploitation within a day.

Affected Versions

Product Vulnerable Versions Fixed Versions
ColdFusion 2025 Update 9 and earlier Update 10
ColdFusion 2023 Update 20 and earlier Update 21

Technical Details

  • Root cause: Improper limitation of a pathname to a restricted directory in the RDS FILEIO RPC handler (CWE-22: Path Traversal), allowing ../ sequences to escape the intended file scope.
  • Attack vector: Network, no privileges or user interaction required (AV:N/AC:L/PR:N/UI:N), with a scope change (S:C) since the traversal write lands outside the vulnerable component's intended boundary. CVSS 3.1 base score: 10.0 (Critical).
  • Attack characteristics: A single crafted POST request is sufficient to write an attacker-controlled .cfm file to a web-accessible path, which is then triggered via a simple follow-up GET request — no further chaining required. Multiple sources note that practical exploitation generally requires RDS to be enabled and unauthenticated, which — despite Adobe long recommending RDS be disabled or password-protected in production — remains a common misconfiguration on internet-facing servers.
  • Impact: Full remote code execution in the context of the ColdFusion service account, with corresponding high confidentiality, integrity, and availability impact.

Discovery

No researcher or organization has been publicly credited by name for reporting this vulnerability to Adobe. Adobe's own advisory acknowledges "limited attacks in the wild" at time of publication.

Exploitation Context

Exploitation began almost immediately after disclosure: KEVIntel's honeypot network (operated by Ryan Dewhurst) recorded the first exploitation attempt within about two hours of Adobe's June 30, 2026 advisory, and the Canadian Centre for Cyber Security confirmed active exploitation independently within a day. CISA added the CVE to the KEV catalog on July 7, 2026 with an unusually tight three-day remediation deadline (July 10), reflecting the severity and speed of observed attacks. Shadowserver scans show roughly 750–800 internet-facing ColdFusion instances overall, though the subset with RDS exposed and vulnerable is unclear. No specific threat-actor attribution has been published.

Remediation

  1. Apply Adobe's patch immediately — update to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21 per APSB26-68.
  2. Disable RDS in production if it is not actively required — this closes the vulnerable code path entirely regardless of patch status.
  3. If RDS must remain enabled, ensure it is password-protected and restricted to trusted management networks only; never expose the RDS interface to the public internet.
  4. Review server logs for requests to /CFIDE/main/ide.cfm?ACTION=FILEIO, particularly ones containing ../ traversal sequences or unexpected file writes, as a sign of prior exploitation attempts.
  5. Audit the web root for unexpected .cfm files that may have been planted via this vulnerability before patching.
  6. Follow CISA BOD 26-04 guidance and the tight July 10, 2026 deadline given confirmed rapid, automated exploitation of this flaw.

Key Details

PropertyValue
CVE ID CVE-2026-48282
Vendor / Product Adobe — ColdFusion
NVD Published2026-06-30
NVD Last Modified2026-07-08
CVSS 3.1 Score10
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-22 find similar ↗
CISA KEV Added2026-07-07
CISA KEV Deadline2026-07-10
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2026-07-10. Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Timeline

DateEvent
2026-06-30Adobe publishes APSB26-68 and CVE is assigned
2026-06-30KEVIntel honeypot network catches first exploitation attempt within ~2 hours of advisory
2026-07-07Added to CISA Known Exploited Vulnerabilities catalog
2026-07-10CISA BOD 22-01 remediation deadline