What is Adobe ColdFusion?
Adobe ColdFusion is a commercial rapid-application-development platform and server for building dynamic websites and web applications using the CFML scripting language. It remains widely deployed in government, financial services, and healthcare environments running legacy line-of-business applications. ColdFusion Server historically ships with Remote Development Services (RDS), a feature that lets developers remotely browse, edit, and manage files on the server from tools like Adobe's own development IDE — functionality that, if inadequately restricted, effectively hands a remote party a file-management API into the server's filesystem.
Overview
Adobe ColdFusion contains a maximum-severity path traversal vulnerability in the RDS FILEIO handler, exposed via POST /CFIDE/main/ide.cfm?ACTION=FILEIO. The handler accepts length-prefixed RPC requests — READ, WRITE, RENAME, REMOVE, and CREATE operations against file paths — as an application/octet-stream body, without canonicalizing the supplied paths or enforcing directory boundaries. An attacker can use ../ sequences to escape the intended RDS scope and write a malicious .cfm file into a web-accessible directory, which then executes with the privileges of the ColdFusion service account, yielding remote code execution.
Exploitation in the wild was detected extraordinarily fast: KEVIntel's global honeypot network caught the first exploitation attempt within roughly two hours of Adobe's advisory going live, and the Canadian Centre for Cyber Security independently confirmed active exploitation within a day.
Affected Versions
| Product | Vulnerable Versions | Fixed Versions |
|---|---|---|
| ColdFusion 2025 | Update 9 and earlier | Update 10 |
| ColdFusion 2023 | Update 20 and earlier | Update 21 |
Technical Details
- Root cause: Improper limitation of a pathname to a restricted directory in the RDS FILEIO RPC handler (CWE-22: Path Traversal), allowing
../sequences to escape the intended file scope. - Attack vector: Network, no privileges or user interaction required (
AV:N/AC:L/PR:N/UI:N), with a scope change (S:C) since the traversal write lands outside the vulnerable component's intended boundary. CVSS 3.1 base score: 10.0 (Critical). - Attack characteristics: A single crafted POST request is sufficient to write an attacker-controlled
.cfmfile to a web-accessible path, which is then triggered via a simple follow-up GET request — no further chaining required. Multiple sources note that practical exploitation generally requires RDS to be enabled and unauthenticated, which — despite Adobe long recommending RDS be disabled or password-protected in production — remains a common misconfiguration on internet-facing servers. - Impact: Full remote code execution in the context of the ColdFusion service account, with corresponding high confidentiality, integrity, and availability impact.
Discovery
No researcher or organization has been publicly credited by name for reporting this vulnerability to Adobe. Adobe's own advisory acknowledges "limited attacks in the wild" at time of publication.
Exploitation Context
Exploitation began almost immediately after disclosure: KEVIntel's honeypot network (operated by Ryan Dewhurst) recorded the first exploitation attempt within about two hours of Adobe's June 30, 2026 advisory, and the Canadian Centre for Cyber Security confirmed active exploitation independently within a day. CISA added the CVE to the KEV catalog on July 7, 2026 with an unusually tight three-day remediation deadline (July 10), reflecting the severity and speed of observed attacks. Shadowserver scans show roughly 750–800 internet-facing ColdFusion instances overall, though the subset with RDS exposed and vulnerable is unclear. No specific threat-actor attribution has been published.
Remediation
- Apply Adobe's patch immediately — update to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21 per APSB26-68.
- Disable RDS in production if it is not actively required — this closes the vulnerable code path entirely regardless of patch status.
- If RDS must remain enabled, ensure it is password-protected and restricted to trusted management networks only; never expose the RDS interface to the public internet.
- Review server logs for requests to
/CFIDE/main/ide.cfm?ACTION=FILEIO, particularly ones containing../traversal sequences or unexpected file writes, as a sign of prior exploitation attempts. - Audit the web root for unexpected
.cfmfiles that may have been planted via this vulnerability before patching. - Follow CISA BOD 26-04 guidance and the tight July 10, 2026 deadline given confirmed rapid, automated exploitation of this flaw.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2026-48282 |
| Vendor / Product | Adobe — ColdFusion |
| NVD Published | 2026-06-30 |
| NVD Last Modified | 2026-07-08 |
| CVSS 3.1 Score | 10 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-22 find similar ↗ |
| CISA KEV Added | 2026-07-07 |
| CISA KEV Deadline | 2026-07-10 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-06-30 | Adobe publishes APSB26-68 and CVE is assigned |
| 2026-06-30 | KEVIntel honeypot network catches first exploitation attempt within ~2 hours of advisory |
| 2026-07-07 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-07-10 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2026-48282 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Adobe Security Bulletin APSB26-68 | Vendor Advisory |
| Akamai — Adobe ColdFusion Critical Path Traversal CVE-2026-48282 | Security Research |
| Help Net Security — Adobe ColdFusion CVE-2026-48282 exploitation detected | News |
| BleepingComputer — Max-severity Adobe ColdFusion flaw now exploited in attacks | News |