CVE Tools
Back to blog

CVE-2026-48282: the max-severity ColdFusion RDS path traversal that became RCE in 48 hours

A CVSS 10.0 path-traversal-to-RCE in Adobe ColdFusion's RDS handler -- patched 30 June, exploited by 2 July, in CISA KEV by 7 July

CVE-2026-48282: the max-severity ColdFusion RDS path traversal that became RCE in 48 hours. A CVSS 10.0 path-traversal-to-RCE in Adobe ColdFusion's RDS handler -- patched 30 June, exploited by 2 July,
CVE-2026-48282: the max-severity ColdFusion RDS path traversal that became RCE in 48 hours. A CVSS 10.0 path-traversal-to-RCE in Adobe ColdFusion's RDS handler -- patched 30 June, exploited by 2 July,

The flaw lets an attacker abuse ColdFusion's RDS file handler to write a file outside the directory it should be confined to -- and because the file lands in a web-reachable folder as executable CFML, requesting it turns an arbitrary write into remote code execution as the ColdFusion service account (often SYSTEM on Windows). No credentials, no user interaction. The one thing standing between a 10.0 and a shrug is configuration: the unauthenticated path only opens when RDS is enabled and RDS authentication is switched off. RDS is off by default -- but ColdFusion's long history as a ransomware on-ramp means this is still one to close today, not next sprint.

What the flaw actually is

At its core this is a CWE-22 path traversal in the RDS FILEIO handler -- a legacy developer feature, reachable at POST /CFIDE/main/ide.cfm?ACTION=FILEIO, that lets a ColdFusion IDE read and write files on the server over HTTP. According to analyst reconstructions from watchTowr Labs and Resecurity, the handler passes a user-supplied filename into its file-resolution routine without canonicalization, so ../, ..\, absolute paths or null-byte tricks escape the intended RDS working directory and reach anywhere on disk. The patch introduces a canonical-resolution guard that rejects traversal sequences, absolute paths and null bytes before any file operation.

The exploitation chain

From an internet-facing, mis-configured RDS endpoint to a web shell running as SYSTEM. The chain has two hard chokepoints: the patch removes the file-write primitive entirely, and disabling RDS (or setting an RDS password) removes reachability -- either one breaks the whole thing. Detection sits on the FILEIO request itself and on the dropped web shell.

CVE-2026-48282 exploitation chain -- RDS path traversal to arbitrary file write to RCE

  1. Internet-facing ColdFusion; RDS endpoint reachable — Discover a ColdFusion 2025/2023 instance answering /CFIDE/main/ide.cfm from an untrusted network. **Prevent:** never expose RDS/admin paths externally -- block /CFIDE/ at the WAF/reverse proxy.
  2. RDS enabled AND RDS auth disabled? — The one gate. RDS is off by default; the unauthenticated path needs it enabled with no RDS password. **Prevent:** disable RDS or set an RDS password.
  3. POST /CFIDE/main/ide.cfm?ACTION=FILEIO with a traversal path — AV:N, AC:L, PR:N, UI:N. Uncanonicalized filename lets ../ / absolute paths escape the RDS working directory.
  4. Arbitrary file WRITE escapes the RDS directory (CWE-22) — The write primitive is what makes this a 10.0. **Prevent:** the fixed build (2025 U10 / 2023 U21) canonicalizes the path and removes this.
  5. Drop a CFML web shell into the web root — Executable .cfm written to a web-reachable folder (e.g. cfusion/wwwroot/). **Detect:** YARA on CFML web shells; new .cfm/.cfc/.jsp in the web root.
  6. GET the web shell -> RCE as the ColdFusion service account — Commands run as the service account -- SYSTEM on default Windows installs. **Detect:** ColdFusion/JVM process spawning cmd/powershell/sh.
  7. Persistence, credential theft, lateral movement — Web shell + service/task persistence; historically an initial-access-broker and ransomware on-ramp for ColdFusion. Patch != eviction if a shell was dropped.
  8. Prevent: disable RDS / set an RDS password — Cuts reachability at the precondition. In ColdFusion Administrator: turn off Enable RDS Service and set an RDS password.
  9. Prevent: PATCH removes the write primitive — Cheapest, most reliable break: apply 2025 Update 10 / 2023 Update 21 -- also closes the other 10 APSB26-68 CVEs.
  10. Detect: FILEIO request / web-shell drop — Deploy the Sigma rule for POST ...ide.cfm ACTION=FILEIO + traversal, and the YARA rule for dropped CFML web shells.

Am I affected?

The bug affects on-prem Adobe ColdFusion 2025 and 2023 -- ColdFusion 2021 is not listed in APSB26-68. Do not trust a patch tracker alone: confirm the actual update level, then confirm whether RDS is exposed. In ColdFusion Administrator, check the Server Information page for the update level and Server Settings for whether Enable RDS Service is on and whether an RDS password is set. Externally, a non-404 response to /CFIDE/main/ide.cfm from an untrusted network means the RDS surface is reachable and must be blocked. Prioritise anything that is internet-facing, RDS-enabled and below the fixed build.

ColdFusion train (on-prem)AffectedFixed (>=)
ColdFusion 2025Update 9 (2025.9) and earlierUpdate 10 (2025.10)
ColdFusion 2023Update 20 (2023.20) and earlierUpdate 21 (2023.21)
ColdFusion 2021Not listed as affected in APSB26-68--
AxisValueWhat it means
CVSS 3.110.0 Critical (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)Network, low-complexity, no auth, no interaction; scope-changed
EPSS~1.0% (about 59th pct)Low -- reflects the RDS config gate and no mass exploitation yet
CISA KEVListed 7 Jul 2026 (due 10 Jul)Confirmed active exploitation; federal deadline already elapsed
Exploited in the wildYes -- honeypots, from ~2 Jul 2026Opportunistic probing observed, not confirmed mass compromise
Public PoCYes -- write-up + file-reader + Nuclei templateCommodity risk; treat exploitation as within easy reach
Ransomware useNot confirmed (CISA: false at listing)No ransomware link yet -- but a strong ColdFusion precedent
PreconditionRDS enabled + RDS auth disabledThe one gate; RDS is off by default, so verify per host

Timeline

Patched 30 June, exploited 2 July, KEV-listed 7 July

  1. Adobe patches APSB26-68
    Adobe ships the bulletin (its highest Priority 1) fixing this flaw and 10 other ColdFusion CVEs; fixes land in ColdFusion 2025 Update 10 / 2023 Update 21. Adobe states it is not aware of in-the-wild exploitation at publication.
    source
  2. Technical analysis + first exploitation
    watchTowr Labs publishes a technical breakdown of the file-write bugs; KEVIntel's honeypots capture in-the-wild exploitation within ~2 hours, with a first observed attack from an India-geolocated IP reading a system file via the FILEIO handler.
    source
  3. Active-exploitation coverage
    BleepingComputer, SecurityWeek and others report active exploitation of the max-severity flaw; Shadowserver tracks roughly 750-800 internet-facing ColdFusion instances (patch/RDS status unknown for most).
    source
  4. Added to CISA KEV
    CISA adds the CVE to the Known Exploited Vulnerabilities catalog with a BOD 26-04 remediation deadline of 10 July 2026 (~3 days); ransomware use marked false at listing.
    source

Exploited in the wild -- what we do and don't know

The fact of exploitation is solid; the scale is not alarming yet. KEVIntel reported honeypot hits within about two hours of watchTowr's 2 July write-up -- the first observed attempt a file read of a system file (win.ini) from a single India-geolocated IP, the classic vulnerability-confirmation probe. Reporting describes opportunistic, limited activity rather than mass compromise, and Shadowserver's ~750-800 figure is an exposure count, not a compromise count. No named threat actor, cluster or victim sector has been publicly tied to this CVE as of 8 July 2026.

Detection & hunting

A Nuclei template for the vulnerable RDS check was merged on 8 July 2026 (ProjectDiscovery), so run that against your own estate for exposure. For exploitation, two high-value signals -- the FILEIO request in web logs, and the dropped web shell on disk:

  • FILEIO requests in web logs: POST to /CFIDE/main/ide.cfm carrying ACTION=FILEIO, especially from external IPs -- RDS should never answer the internet. Quick triage: grep -Ei 'ide\.cfm.*ACTION=FILEIO|\.\./|%2e%2e%2f' access.log.
  • Web shells in the web root: new .cfm/.cfc/.cfml/.jsp under the ColdFusion web root or /CFIDE/ (e.g. <cf_root>/cfusion/wwwroot/), with content using <cfexecute>, <cfhttp>, java.lang.Runtime, or Evaluate() on request scopes.
  • ColdFusion worker spawning a shell: the coldfusion.exe/java process launching cmd.exe/powershell.exe//bin/sh -- a healthy ColdFusion box essentially never does this. Watch for new scheduled tasks/services and unusual outbound connections too.
  • Logs to pull for a hunt: ColdFusion coldfusion-out.log, exception.log, application.log, rdservice.log; plus IIS/Apache/nginx access logs. Confirm paths against your install layout.
# Drafted from Resecurity / watchTowr public analysis -- tune before production.
# Keys on the abuse behaviour (FILEIO handler + traversal), not a single payload.
title: Adobe ColdFusion RDS FILEIO Access / Path Traversal (CVE-2026-48282)
status: experimental
logsource:
  category: webserver
detection:
  selection_rds:
    cs-method: 'POST'
    cs-uri-stem|contains:
      - '/CFIDE/main/ide.cfm'
      - '/CFIDE/main/websocket.cfm'
    cs-uri-query|contains: 'FILEIO'
  selection_traversal:
    cs-uri-stem|contains: '/CFIDE/'
    c-uri|contains: ['../', '..%2f', '..%5c', '%2e%2e%2f', '..%c0%af']
  condition: selection_rds or selection_traversal
falsepositives:
  - Developers using RDS from ColdFusion Builder over a trusted network (scope out known dev IPs)
level: high

What to do now

  1. Patch to ColdFusion 2025 Update 10 or 2023 Update 21 (APSB26-68). It is the fix -- there is no vendor workaround -- and it closes the other 10 bulletin CVEs at the same time. Prioritise internet-facing hosts.
  2. If you cannot patch within the deadline: in ColdFusion Administrator disable the RDS Service and set an RDS password, block external access to /CFIDE/administrator, /CFIDE/main/ide.cfm and other /CFIDE/ paths at the WAF/reverse proxy, and run the ColdFusion service as a low-privileged account (not SYSTEM) so a web-shell write is contained.
  3. If a host was internet-facing and unpatched since 30 June 2026, assume-compromise: hunt the web root and /CFIDE/ for unauthorized .cfm/.cfc/.jsp, review logs for ACTION=FILEIO and traversal, and check for ColdFusion-process child shells. A found web shell is a full incident, not a cleanup -- rotate secrets reachable from the host.
  4. Reduce the surface for next time: keep RDS off in production, segment management planes off the internet, and monitor for any ColdFusion instance answering /CFIDE/main/ide.cfm externally.

FAQ

Is CVE-2026-48282 being exploited?
Yes -- CISA added it to the KEV catalog on 7 July 2026 on evidence of active exploitation, and honeypots captured probing within ~2 hours of the first public technical details on 2 July. Reported activity so far is opportunistic rather than mass. Run a free exposure check.
Does it need authentication?
The CVSS vector is PR:N (no privileges), and against a reachable RDS endpoint with no RDS password that holds. But exploitation presupposes RDS is enabled and RDS authentication is disabled -- RDS is off by default, so a hardened install is not trivially exploitable by this alone.
Which versions are affected?
On-prem ColdFusion 2025 (Update 9 and earlier) and ColdFusion 2023 (Update 20 and earlier). Fixed in 2025 Update 10 / 2023 Update 21. ColdFusion 2021 is not listed as affected in APSB26-68.
Is there a public exploit?
Yes -- a technical write-up, a public Python file-reader/scanner, and a merged Nuclei detection template all exist as of 8 July 2026. No Metasploit or ExploitDB module had surfaced yet, but treat exploitation as commodity.
EPSS is low and it's not ransomware -- can I wait?
No, not if you are exposed. It is in KEV (confirmed exploitation), the federal deadline has passed, a public PoC exists, and code runs as SYSTEM. The low EPSS reflects the RDS config gate, not safety. Patch internet-facing, RDS-enabled hosts now; risk-rank the internal long tail.
How do I know if RDS is exposed?
In ColdFusion Administrator, check Server Settings for whether Enable RDS Service is on and whether an RDS password is set. Externally, probe /CFIDE/main/ide.cfm from an untrusted network -- a non-404 means the RDS surface is reachable and should be blocked at the WAF.

Sources