CVE-2026-48282: a CVSS 10.0 ColdFusion flaw is already being exploited - patch now
An unauthenticated path-traversal flaw in ColdFusion's Remote Development Services turns a single crafted HTTP request into full remote code execution as the service account. Disclosed 30 June 2026 (APSB26-68), weaponised within hours, and being exploited in the wild right now. Here's the five-minute briefing and the to-do list.
Contents
The short version
There are vulnerabilities you schedule around, and there are vulnerabilities you drop everything for. CVE-2026-48282 is firmly the second kind - a perfect-storm bug in Adobe ColdFusion: maximum severity, no authentication, no user interaction, and a straight line from a single crafted HTTP request to full remote code execution. Attackers found it fast, and internet-facing ColdFusion servers are being hit right now.
If you patch nothing else today: upgrade to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21 and restart the service. This is a Priority 1 update under confirmed active exploitation - treat it as an emergency change, not your normal patch cadence.
What: an unauthenticated path-traversal flaw in ColdFusion's Remote Development Services (RDS) that lets an attacker write arbitrary files anywhere the ColdFusion process can reach - including its own web root. Because ColdFusion executes CFML from the web root, that write becomes remote code execution as the service account (frequently SYSTEM on Windows).
What actually broke
RDS is a legacy feature that once let IDEs and design tools perform remote file and database operations against a ColdFusion server. It speaks a proprietary remote-procedure-call protocol over HTTP, reachable at an ACTION=FILEIO endpoint under /CFIDE/.
The root cause is an old and familiar one: the server trusted a user-supplied file path before it validated it. The RDS file-write handler took the destination path straight from the request and handed it to the underlying file-system APIs without any of the safety checks you'd expect - no canonicalisation, no enforcement of a working-directory boundary, no rejection of absolute paths or ../ traversal sequences, and no null-byte filtering.
The consequence is exactly what you'd fear. Because the path is trusted first and checked never, an attacker can climb out of the intended RDS directory and write to (or read from) anywhere the ColdFusion process can access - including the web root and scripts directories from which ColdFusion will happily compile and run whatever CFML it finds.
From "file write" to "your server is mine"
On its own, an arbitrary file write sounds serious but abstract. ColdFusion turns it into something much worse in three moves.
Write
The attacker sends an unauthenticated RDS FILEIO request pointing at a web-accessible location, using path traversal to drop a small malicious .cfm file - a web shell - into the web root.
Trigger
They simply request that file over HTTP. ColdFusion compiles and executes the CFML server-side - no second vulnerability, no authentication, no user interaction.
Own
The code runs in the security context of the ColdFusion service account. On many Windows deployments that's SYSTEM, so the attacker lands with the highest privileges on the box - no separate privilege-escalation step required.
There's a quieter sibling flaw worth knowing about too. A related read-primitive vulnerability, CVE-2026-48313 (CVSS 9.3), abuses the same code path to read arbitrary files. It appears to have been the opening move in early opportunistic attacks - reading a harmless system file first as a low-noise way to confirm the traversal works, before pivoting to the write-to-RCE chain.
Why the urgency is real
This isn't theoretical risk. The exploitation timeline speaks for itself.
- 2026/Jun/30
Adobe ships the fixes (APSB26-68)
A cluster of eleven ColdFusion flaws - six rated CVSS 10.0 - patched under Adobe's highest Priority 1 rating.
- 2026/Jul/01
Public technical write-ups follow
Detailed analyses of the RDS
FILEIOpath-traversal appear shortly after disclosure, lowering the bar to exploitation. - 2026/Jul/02
In-the-wild exploitation within ~2 hours
Threat-intelligence honeypot networks reportedly capture exploitation within two hours of the technical details landing. Scanning data places roughly 800 internet-exposed ColdFusion instances in view during this window.
- 2026/Jul/03
National alerts issued
Canada's national cyber-security centre urges defenders to apply Adobe's guidance immediately. Strong candidate for national "known exploited vulnerabilities" catalogues.
None of this is surprising. It mirrors the pattern of previous critical ColdFusion bugs - the 2023 and 2024 flaws weaponised within days of disclosure. ColdFusion is a proven, high-value target, and attackers treat these advisories as a starting gun.
Are you affected?
Assume yes until you've confirmed otherwise.
| Product | Affected builds | Status |
|---|---|---|
| Adobe ColdFusion 2025 | Update 9 and earlier (2025.9 and below) | VULNERABLE |
| Adobe ColdFusion 2023 | Update 20 and earlier (2023.20 and below) | VULNERABLE |
| ColdFusion 2021 / 2018 & older | End-of-life - no fix available | PRESUME VULN |
A few things worth noting:
- The RCE impact is platform-independent (Windows, Linux, macOS), though Windows servers running ColdFusion as
SYSTEMface the steepest privilege impact. - It applies to self-managed and IaaS-hosted installations - distinct from Adobe-managed SaaS offerings.
To check quickly:
- Confirm the installed build in ColdFusion Administrator → System Information. Anything below 2025 Update 10 or 2023 Update 21 is exposed.
- Check whether RDS is enabled under Administrator → Security → RDS, and whether it's reachable from untrusted networks.
- Test whether
/CFIDE/and the RDS endpoint are reachable from the internet or other untrusted segments. - Review perimeter and web logs for requests to the RDS
FILEIOendpoint - a useful indicator of scanning or exploitation attempts.
What an attacker can do once in
To be blunt about the blast radius, successful exploitation typically means the attacker can:
- Run arbitrary operating-system commands via a planted web shell.
- Read, modify, or destroy any data the ColdFusion process can touch - application source, data-source credentials, connection strings, and secrets on disk.
- Deface or take down hosted applications.
- Harvest ColdFusion Administrator credentials, database passwords, and encryption keys to dig in deeper.
- Pivot laterally into the internal network and, because the service often runs as
SYSTEMorroot, take full control of the host. - Establish persistence, stage data for exfiltration, deploy ransomware, or use the server as a beachhead into the wider estate.
In short: full server compromise, and often a foothold into everything behind it.
What to do - in priority order
1. Patch. Immediately.
This is a Priority 1 update, and with confirmed exploitation it deserves emergency-change treatment.
- Upgrade ColdFusion 2025 to Update 10.
- Upgrade ColdFusion 2023 to Update 21.
- Follow Adobe's technote for APSB26-68 and restart the ColdFusion service so the update actually takes effect. Where Adobe specifies a supported JDK/JRE version, update the Java runtime in the same maintenance window.
- Apply the full APSB26-68 set together - the updates remediate the whole cluster of flaws. Don't fix this one in isolation.
- If you're on an unsupported release (ColdFusion 2021 or earlier), there is no patch. Plan an urgent migration to a supported version.
The fix, for the curious, routes RDS file operations through a new centralised path-validation routine - closing the gap that let unvalidated paths through in the first place.
2. If you genuinely can't patch this instant, mitigate
These reduce exposure but are not a substitute for patching.
- Disable RDS if it isn't needed. It's a development feature that has no business being enabled on production servers. Turn it off in the ColdFusion Administrator (or remove/lock the RDS servlet mappings).
- If RDS must stay on, enforce strong, unique RDS authentication - never leave it blank or default.
- Take ColdFusion off the public internet wherever it doesn't need to be exposed.
- Deploy WAF / virtual-patching rules to block requests to the RDS endpoint carrying
FILEIOactions or traversal sequences - including encoded variants and null bytes.
3. Assume compromise if you were exposed
If your server was internet-facing and unpatched during this window, don't just patch and move on. Hunt for web shells in the web root and /CFIDE/, review logs for suspicious FILEIO requests, rotate any credentials the ColdFusion process could reach, and check for signs of persistence or lateral movement.
Vulnerabilities like this reward speed. Patch to the fixed builds, get RDS off your production servers, keep ColdFusion off the open internet, and verify you weren't already hit. Treat it as an emergency, because the people scanning for your servers already are.
- Staatse advisory desk, July 2026
Key takeaways
- CVE-2026-48282 is unauthenticated, requires no user interaction, and turns one HTTP request into RCE as the ColdFusion service account - CVSS 10.0.
- The fixed builds are ColdFusion 2025 Update 10 and 2023 Update 21; apply the full APSB26-68 set and restart the service.
- RDS is a development feature - it should never be enabled or internet-reachable on a production server.
- Exploitation began within ~2 hours of public disclosure. If you were exposed and unpatched, assume compromise and hunt for web shells.
The takeaway
CVE-2026-48282 checks every box that makes a vulnerability dangerous: trivially exploitable, no authentication, maximum impact, and active attackers who moved within hours. The good news is that the remediation is equally clear-cut.
If you want help confirming whether your ColdFusion estate was exposed - or hunting for a foothold if it was - our web application security testing and network penetration testing teams can scope an emergency review. Get in touch and we'll walk your team through it.