VulnerabilityJul 07, 20269 min read

CVE-2026-48282: a CVSS 10.0 ColdFusion flaw is already being exploited - patch now

An unauthenticated path-traversal flaw in ColdFusion's Remote Development Services turns a single crafted HTTP request into full remote code execution as the service account. Disclosed 30 June 2026 (APSB26-68), weaponised within hours, and being exploited in the wild right now. Here's the five-minute briefing and the to-do list.

ST
Staatse
Security research · Staatse
Contents

The short version

There are vulnerabilities you schedule around, and there are vulnerabilities you drop everything for. CVE-2026-48282 is firmly the second kind - a perfect-storm bug in Adobe ColdFusion: maximum severity, no authentication, no user interaction, and a straight line from a single crafted HTTP request to full remote code execution. Attackers found it fast, and internet-facing ColdFusion servers are being hit right now.

10.0CVSS - maximum severity
~2hDisclosure to in-the-wild exploitation
~800Internet-exposed instances in view
11CVEs in APSB26-68 (6 rated 10.0)

If you patch nothing else today: upgrade to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21 and restart the service. This is a Priority 1 update under confirmed active exploitation - treat it as an emergency change, not your normal patch cadence.

What: an unauthenticated path-traversal flaw in ColdFusion's Remote Development Services (RDS) that lets an attacker write arbitrary files anywhere the ColdFusion process can reach - including its own web root. Because ColdFusion executes CFML from the web root, that write becomes remote code execution as the service account (frequently SYSTEM on Windows).

What actually broke

RDS is a legacy feature that once let IDEs and design tools perform remote file and database operations against a ColdFusion server. It speaks a proprietary remote-procedure-call protocol over HTTP, reachable at an ACTION=FILEIO endpoint under /CFIDE/.

The root cause is an old and familiar one: the server trusted a user-supplied file path before it validated it. The RDS file-write handler took the destination path straight from the request and handed it to the underlying file-system APIs without any of the safety checks you'd expect - no canonicalisation, no enforcement of a working-directory boundary, no rejection of absolute paths or ../ traversal sequences, and no null-byte filtering.

The consequence is exactly what you'd fear. Because the path is trusted first and checked never, an attacker can climb out of the intended RDS directory and write to (or read from) anywhere the ColdFusion process can access - including the web root and scripts directories from which ColdFusion will happily compile and run whatever CFML it finds.

From "file write" to "your server is mine"

On its own, an arbitrary file write sounds serious but abstract. ColdFusion turns it into something much worse in three moves.

1

Write

The attacker sends an unauthenticated RDS FILEIO request pointing at a web-accessible location, using path traversal to drop a small malicious .cfm file - a web shell - into the web root.

2

Trigger

They simply request that file over HTTP. ColdFusion compiles and executes the CFML server-side - no second vulnerability, no authentication, no user interaction.

3

Own

The code runs in the security context of the ColdFusion service account. On many Windows deployments that's SYSTEM, so the attacker lands with the highest privileges on the box - no separate privilege-escalation step required.

There's a quieter sibling flaw worth knowing about too. A related read-primitive vulnerability, CVE-2026-48313 (CVSS 9.3), abuses the same code path to read arbitrary files. It appears to have been the opening move in early opportunistic attacks - reading a harmless system file first as a low-noise way to confirm the traversal works, before pivoting to the write-to-RCE chain.

Why the urgency is real

This isn't theoretical risk. The exploitation timeline speaks for itself.

  1. 2026/Jun/30

    Adobe ships the fixes (APSB26-68)

    A cluster of eleven ColdFusion flaws - six rated CVSS 10.0 - patched under Adobe's highest Priority 1 rating.

  2. 2026/Jul/01

    Public technical write-ups follow

    Detailed analyses of the RDS FILEIO path-traversal appear shortly after disclosure, lowering the bar to exploitation.

  3. 2026/Jul/02

    In-the-wild exploitation within ~2 hours

    Threat-intelligence honeypot networks reportedly capture exploitation within two hours of the technical details landing. Scanning data places roughly 800 internet-exposed ColdFusion instances in view during this window.

  4. 2026/Jul/03

    National alerts issued

    Canada's national cyber-security centre urges defenders to apply Adobe's guidance immediately. Strong candidate for national "known exploited vulnerabilities" catalogues.

None of this is surprising. It mirrors the pattern of previous critical ColdFusion bugs - the 2023 and 2024 flaws weaponised within days of disclosure. ColdFusion is a proven, high-value target, and attackers treat these advisories as a starting gun.

Are you affected?

Assume yes until you've confirmed otherwise.

Product Affected builds Status
Adobe ColdFusion 2025 Update 9 and earlier (2025.9 and below) VULNERABLE
Adobe ColdFusion 2023 Update 20 and earlier (2023.20 and below) VULNERABLE
ColdFusion 2021 / 2018 & older End-of-life - no fix available PRESUME VULN
CVE-2026-48282 (RDS write → RCE)
10.0
CVE-2026-48313 (RDS arbitrary read)
9.3

A few things worth noting:

  • The RCE impact is platform-independent (Windows, Linux, macOS), though Windows servers running ColdFusion as SYSTEM face the steepest privilege impact.
  • It applies to self-managed and IaaS-hosted installations - distinct from Adobe-managed SaaS offerings.

To check quickly:

  • Confirm the installed build in ColdFusion Administrator → System Information. Anything below 2025 Update 10 or 2023 Update 21 is exposed.
  • Check whether RDS is enabled under Administrator → Security → RDS, and whether it's reachable from untrusted networks.
  • Test whether /CFIDE/ and the RDS endpoint are reachable from the internet or other untrusted segments.
  • Review perimeter and web logs for requests to the RDS FILEIO endpoint - a useful indicator of scanning or exploitation attempts.

What an attacker can do once in

To be blunt about the blast radius, successful exploitation typically means the attacker can:

  • Run arbitrary operating-system commands via a planted web shell.
  • Read, modify, or destroy any data the ColdFusion process can touch - application source, data-source credentials, connection strings, and secrets on disk.
  • Deface or take down hosted applications.
  • Harvest ColdFusion Administrator credentials, database passwords, and encryption keys to dig in deeper.
  • Pivot laterally into the internal network and, because the service often runs as SYSTEM or root, take full control of the host.
  • Establish persistence, stage data for exfiltration, deploy ransomware, or use the server as a beachhead into the wider estate.

In short: full server compromise, and often a foothold into everything behind it.

What to do - in priority order

1. Patch. Immediately.

This is a Priority 1 update, and with confirmed exploitation it deserves emergency-change treatment.

  • Upgrade ColdFusion 2025 to Update 10.
  • Upgrade ColdFusion 2023 to Update 21.
  • Follow Adobe's technote for APSB26-68 and restart the ColdFusion service so the update actually takes effect. Where Adobe specifies a supported JDK/JRE version, update the Java runtime in the same maintenance window.
  • Apply the full APSB26-68 set together - the updates remediate the whole cluster of flaws. Don't fix this one in isolation.
  • If you're on an unsupported release (ColdFusion 2021 or earlier), there is no patch. Plan an urgent migration to a supported version.

The fix, for the curious, routes RDS file operations through a new centralised path-validation routine - closing the gap that let unvalidated paths through in the first place.

2. If you genuinely can't patch this instant, mitigate

These reduce exposure but are not a substitute for patching.

  • Disable RDS if it isn't needed. It's a development feature that has no business being enabled on production servers. Turn it off in the ColdFusion Administrator (or remove/lock the RDS servlet mappings).
  • If RDS must stay on, enforce strong, unique RDS authentication - never leave it blank or default.
  • Take ColdFusion off the public internet wherever it doesn't need to be exposed.
  • Deploy WAF / virtual-patching rules to block requests to the RDS endpoint carrying FILEIO actions or traversal sequences - including encoded variants and null bytes.

3. Assume compromise if you were exposed

If your server was internet-facing and unpatched during this window, don't just patch and move on. Hunt for web shells in the web root and /CFIDE/, review logs for suspicious FILEIO requests, rotate any credentials the ColdFusion process could reach, and check for signs of persistence or lateral movement.

Vulnerabilities like this reward speed. Patch to the fixed builds, get RDS off your production servers, keep ColdFusion off the open internet, and verify you weren't already hit. Treat it as an emergency, because the people scanning for your servers already are.

- Staatse advisory desk, July 2026

Key takeaways

  • CVE-2026-48282 is unauthenticated, requires no user interaction, and turns one HTTP request into RCE as the ColdFusion service account - CVSS 10.0.
  • The fixed builds are ColdFusion 2025 Update 10 and 2023 Update 21; apply the full APSB26-68 set and restart the service.
  • RDS is a development feature - it should never be enabled or internet-reachable on a production server.
  • Exploitation began within ~2 hours of public disclosure. If you were exposed and unpatched, assume compromise and hunt for web shells.

The takeaway

CVE-2026-48282 checks every box that makes a vulnerability dangerous: trivially exploitable, no authentication, maximum impact, and active attackers who moved within hours. The good news is that the remediation is equally clear-cut.

If you want help confirming whether your ColdFusion estate was exposed - or hunting for a foothold if it was - our web application security testing and network penetration testing teams can scope an emergency review. Get in touch and we'll walk your team through it.

References & further reading

  1. AdobeSecurity bulletin APSB26-68 - ColdFusion
  2. NVDCVE-2026-48282 - Adobe ColdFusion path traversal / remote code execution
  3. NVDCVE-2026-48313 - Adobe ColdFusion arbitrary file read
  4. CISA KEVKnown Exploited Vulnerabilities catalog
  5. Canadian Centre for Cyber SecurityAlert: Adobe security advisory (AV26-xxx)
Need a hand?

Need help securing your business?

If anything in this report applies to your stack, we can scope a focused assessment within two business days.