CVE-2026-48282: the max-severity ColdFusion RDS path traversal that became RCE in 48 hours
A CVSS 10.0 path-traversal-to-RCE in Adobe ColdFusion's RDS handler -- patched 30 June, exploited by 2 July, in CISA KEV by 7 July

The flaw lets an attacker abuse ColdFusion's RDS file handler to write a file outside the directory it should be confined to -- and because the file lands in a web-reachable folder as executable CFML, requesting it turns an arbitrary write into remote code execution as the ColdFusion service account (often SYSTEM on Windows). No credentials, no user interaction. The one thing standing between a 10.0 and a shrug is configuration: the unauthenticated path only opens when RDS is enabled and RDS authentication is switched off. RDS is off by default -- but ColdFusion's long history as a ransomware on-ramp means this is still one to close today, not next sprint.
Scores as of 2026-07-08live record →
What the flaw actually is
At its core this is a CWE-22 path traversal in the RDS FILEIO handler -- a legacy developer feature, reachable at POST /CFIDE/main/ide.cfm?ACTION=FILEIO, that lets a ColdFusion IDE read and write files on the server over HTTP. According to analyst reconstructions from watchTowr Labs and Resecurity, the handler passes a user-supplied filename into its file-resolution routine without canonicalization, so ../, ..\, absolute paths or null-byte tricks escape the intended RDS working directory and reach anywhere on disk. The patch introduces a canonical-resolution guard that rejects traversal sequences, absolute paths and null bytes before any file operation.
The exploitation chain
From an internet-facing, mis-configured RDS endpoint to a web shell running as SYSTEM. The chain has two hard chokepoints: the patch removes the file-write primitive entirely, and disabling RDS (or setting an RDS password) removes reachability -- either one breaks the whole thing. Detection sits on the FILEIO request itself and on the dropped web shell.
CVE-2026-48282 exploitation chain -- RDS path traversal to arbitrary file write to RCE
- Internet-facing ColdFusion; RDS endpoint reachable — Discover a ColdFusion 2025/2023 instance answering /CFIDE/main/ide.cfm from an untrusted network. **Prevent:** never expose RDS/admin paths externally -- block /CFIDE/ at the WAF/reverse proxy.
- RDS enabled AND RDS auth disabled? — The one gate. RDS is off by default; the unauthenticated path needs it enabled with no RDS password. **Prevent:** disable RDS or set an RDS password.
- POST /CFIDE/main/ide.cfm?ACTION=FILEIO with a traversal path — AV:N, AC:L, PR:N, UI:N. Uncanonicalized filename lets ../ / absolute paths escape the RDS working directory.
- Arbitrary file WRITE escapes the RDS directory (CWE-22) — The write primitive is what makes this a 10.0. **Prevent:** the fixed build (2025 U10 / 2023 U21) canonicalizes the path and removes this.
- Drop a CFML web shell into the web root — Executable .cfm written to a web-reachable folder (e.g. cfusion/wwwroot/). **Detect:** YARA on CFML web shells; new .cfm/.cfc/.jsp in the web root.
- GET the web shell -> RCE as the ColdFusion service account — Commands run as the service account -- SYSTEM on default Windows installs. **Detect:** ColdFusion/JVM process spawning cmd/powershell/sh.
- Persistence, credential theft, lateral movement — Web shell + service/task persistence; historically an initial-access-broker and ransomware on-ramp for ColdFusion. Patch != eviction if a shell was dropped.
- Prevent: disable RDS / set an RDS password — Cuts reachability at the precondition. In ColdFusion Administrator: turn off Enable RDS Service and set an RDS password.
- Prevent: PATCH removes the write primitive — Cheapest, most reliable break: apply 2025 Update 10 / 2023 Update 21 -- also closes the other 10 APSB26-68 CVEs.
- Detect: FILEIO request / web-shell drop — Deploy the Sigma rule for POST ...ide.cfm ACTION=FILEIO + traversal, and the YARA rule for dropped CFML web shells.
Am I affected?
The bug affects on-prem Adobe ColdFusion 2025 and 2023 -- ColdFusion 2021 is not listed in APSB26-68. Do not trust a patch tracker alone: confirm the actual update level, then confirm whether RDS is exposed. In ColdFusion Administrator, check the Server Information page for the update level and Server Settings for whether Enable RDS Service is on and whether an RDS password is set. Externally, a non-404 response to /CFIDE/main/ide.cfm from an untrusted network means the RDS surface is reachable and must be blocked. Prioritise anything that is internet-facing, RDS-enabled and below the fixed build.
| ColdFusion train (on-prem) | Affected | Fixed (>=) |
| ColdFusion 2025 | Update 9 (2025.9) and earlier | Update 10 (2025.10) |
| ColdFusion 2023 | Update 20 (2023.20) and earlier | Update 21 (2023.21) |
| ColdFusion 2021 | Not listed as affected in APSB26-68 | -- |
| Axis | Value | What it means |
| CVSS 3.1 | 10.0 Critical (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) | Network, low-complexity, no auth, no interaction; scope-changed |
| EPSS | ~1.0% (about 59th pct) | Low -- reflects the RDS config gate and no mass exploitation yet |
| CISA KEV | Listed 7 Jul 2026 (due 10 Jul) | Confirmed active exploitation; federal deadline already elapsed |
| Exploited in the wild | Yes -- honeypots, from ~2 Jul 2026 | Opportunistic probing observed, not confirmed mass compromise |
| Public PoC | Yes -- write-up + file-reader + Nuclei template | Commodity risk; treat exploitation as within easy reach |
| Ransomware use | Not confirmed (CISA: false at listing) | No ransomware link yet -- but a strong ColdFusion precedent |
| Precondition | RDS enabled + RDS auth disabled | The one gate; RDS is off by default, so verify per host |
Timeline
Patched 30 June, exploited 2 July, KEV-listed 7 July
- Adobe patches APSB26-68Adobe ships the bulletin (its highest Priority 1) fixing this flaw and 10 other ColdFusion CVEs; fixes land in ColdFusion 2025 Update 10 / 2023 Update 21. Adobe states it is not aware of in-the-wild exploitation at publication.source
- Technical analysis + first exploitationwatchTowr Labs publishes a technical breakdown of the file-write bugs; KEVIntel's honeypots capture in-the-wild exploitation within ~2 hours, with a first observed attack from an India-geolocated IP reading a system file via the FILEIO handler.source
- Active-exploitation coverageBleepingComputer, SecurityWeek and others report active exploitation of the max-severity flaw; Shadowserver tracks roughly 750-800 internet-facing ColdFusion instances (patch/RDS status unknown for most).source
- Added to CISA KEVCISA adds the CVE to the Known Exploited Vulnerabilities catalog with a BOD 26-04 remediation deadline of 10 July 2026 (~3 days); ransomware use marked false at listing.source
Exploited in the wild -- what we do and don't know
The fact of exploitation is solid; the scale is not alarming yet. KEVIntel reported honeypot hits within about two hours of watchTowr's 2 July write-up -- the first observed attempt a file read of a system file (win.ini) from a single India-geolocated IP, the classic vulnerability-confirmation probe. Reporting describes opportunistic, limited activity rather than mass compromise, and Shadowserver's ~750-800 figure is an exposure count, not a compromise count. No named threat actor, cluster or victim sector has been publicly tied to this CVE as of 8 July 2026.
Detection & hunting
A Nuclei template for the vulnerable RDS check was merged on 8 July 2026 (ProjectDiscovery), so run that against your own estate for exposure. For exploitation, two high-value signals -- the FILEIO request in web logs, and the dropped web shell on disk:
- FILEIO requests in web logs:
POSTto/CFIDE/main/ide.cfmcarryingACTION=FILEIO, especially from external IPs -- RDS should never answer the internet. Quick triage:grep -Ei 'ide\.cfm.*ACTION=FILEIO|\.\./|%2e%2e%2f' access.log. - Web shells in the web root: new
.cfm/.cfc/.cfml/.jspunder the ColdFusion web root or/CFIDE/(e.g.<cf_root>/cfusion/wwwroot/), with content using<cfexecute>,<cfhttp>,java.lang.Runtime, orEvaluate()on request scopes. - ColdFusion worker spawning a shell: the
coldfusion.exe/javaprocess launchingcmd.exe/powershell.exe//bin/sh-- a healthy ColdFusion box essentially never does this. Watch for new scheduled tasks/services and unusual outbound connections too. - Logs to pull for a hunt: ColdFusion
coldfusion-out.log,exception.log,application.log,rdservice.log; plus IIS/Apache/nginx access logs. Confirm paths against your install layout.
# Drafted from Resecurity / watchTowr public analysis -- tune before production.
# Keys on the abuse behaviour (FILEIO handler + traversal), not a single payload.
title: Adobe ColdFusion RDS FILEIO Access / Path Traversal (CVE-2026-48282)
status: experimental
logsource:
category: webserver
detection:
selection_rds:
cs-method: 'POST'
cs-uri-stem|contains:
- '/CFIDE/main/ide.cfm'
- '/CFIDE/main/websocket.cfm'
cs-uri-query|contains: 'FILEIO'
selection_traversal:
cs-uri-stem|contains: '/CFIDE/'
c-uri|contains: ['../', '..%2f', '..%5c', '%2e%2e%2f', '..%c0%af']
condition: selection_rds or selection_traversal
falsepositives:
- Developers using RDS from ColdFusion Builder over a trusted network (scope out known dev IPs)
level: highWhat to do now
- Patch to ColdFusion 2025 Update 10 or 2023 Update 21 (APSB26-68). It is the fix -- there is no vendor workaround -- and it closes the other 10 bulletin CVEs at the same time. Prioritise internet-facing hosts.
- If you cannot patch within the deadline: in ColdFusion Administrator disable the RDS Service and set an RDS password, block external access to
/CFIDE/administrator,/CFIDE/main/ide.cfmand other/CFIDE/paths at the WAF/reverse proxy, and run the ColdFusion service as a low-privileged account (not SYSTEM) so a web-shell write is contained. - If a host was internet-facing and unpatched since 30 June 2026, assume-compromise: hunt the web root and
/CFIDE/for unauthorized.cfm/.cfc/.jsp, review logs forACTION=FILEIOand traversal, and check for ColdFusion-process child shells. A found web shell is a full incident, not a cleanup -- rotate secrets reachable from the host. - Reduce the surface for next time: keep RDS off in production, segment management planes off the internet, and monitor for any ColdFusion instance answering
/CFIDE/main/ide.cfmexternally.
FAQ
Is CVE-2026-48282 being exploited?
Does it need authentication?
Which versions are affected?
Is there a public exploit?
EPSS is low and it's not ransomware -- can I wait?
How do I know if RDS is exposed?
/CFIDE/main/ide.cfm from an untrusted network -- a non-404 means the RDS surface is reachable and should be blocked at the WAF.Sources
- Adobe -- Security bulletin APSB26-68 (ColdFusion)
- NVD -- CVE-2026-48282
- CISA -- Known Exploited Vulnerabilities Catalog
- CISA -- Adds one Known Exploited Vulnerability to Catalog (7 Jul 2026)
- watchTowr Labs -- Adobe ColdFusion APSB26-68 analysis
- Resecurity -- CVE-2026-48282: ColdFusion RDS path traversal leading to RCE
- Help Net Security -- Adobe ColdFusion CVE-2026-48282 exploitation detected
- BleepingComputer -- Max-severity Adobe ColdFusion flaw now exploited in attacks
- SecurityWeek -- Critical Adobe ColdFusion vulnerability exploited in attacks
- Security Affairs -- Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild
- CCB Belgium -- Adobe patches 11 ColdFusion flaws (APSB26-68)
- Qualys ThreatPROTECT -- Adobe releases patches for ColdFusion critical vulnerabilities
- ProjectDiscovery -- Nuclei template for CVE-2026-48282 (PR #16538)
- GreyNoise Labs -- Coordinated ColdFusion scanning campaign (Dec 2025, historical context)
- CISA AA23-339A -- Threat actors exploit ColdFusion CVE-2023-26360 (historical context)