CISA Warns Adobe ColdFusion Path Traversal Flaw Is Being Exploited in Attacks


CISA has added CVE-2026-48282, a critical Adobe ColdFusion path traversal vulnerability, to its Known Exploited Vulnerabilities catalog after confirming active exploitation.

The CISA KEV entry sets a July 10, 2026 remediation deadline for U.S. federal civilian agencies. CISA’s required action tells agencies to apply vendor mitigations, follow BOD 26-04 guidance, complete forensic triage requirements, and discontinue use if cloud-service mitigations are unavailable.

Adobe patched the flaw in its ColdFusion security bulletin for ColdFusion 2025 and ColdFusion 2023. The company says CVE-2026-48282 has been exploited in limited attacks targeting Adobe ColdFusion.

What is CVE-2026-48282?

CVE-2026-48282 is a path traversal flaw in Adobe ColdFusion that can lead to arbitrary code execution. The NVD entry says the issue affects ColdFusion 2025 Update 9, ColdFusion 2023 Update 20, and earlier versions.

The vulnerability carries a CVSS 3.1 score of 10.0 from Adobe. The vector indicates network exploitation, low attack complexity, no privileges required, and no user interaction.

That combination makes the bug especially dangerous for internet-facing ColdFusion servers. If attackers can reach a vulnerable path and write or trigger malicious content, they may gain code execution in the context of the running ColdFusion service.

ItemDetails
CVECVE-2026-48282
ProductAdobe ColdFusion
Vulnerability typePath traversal, CWE-22
ImpactArbitrary code execution
SeverityCritical, CVSS 10.0
Affected versionsColdFusion 2025 Update 9 and earlier, ColdFusion 2023 Update 20 and earlier
Fixed versionsColdFusion 2025 Update 10, ColdFusion 2023 Update 21
CISA deadlineJuly 10, 2026 for federal civilian agencies

Adobe released emergency fixes on June 30

Adobe released ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21 to address CVE-2026-48282 and several other vulnerabilities. The Adobe advisory also recommends updating the ColdFusion JDK or JRE LTS version as a secure practice.

The same update fixed multiple critical flaws, including arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass issues. Several carried maximum severity ratings.

Admins should not treat CVE-2026-48282 as a routine patching item. It already appears in CISA’s exploited-vulnerability catalog, and Adobe acknowledges limited real-world exploitation.

Why RDS exposure matters

Technical analysis from watchTowr Labs focuses on ColdFusion’s Remote Development Services feature, also known as RDS. RDS allows developer tools to interact with a ColdFusion server over HTTP for tasks such as browsing files, running database queries, and supporting debugging.

RDS does not run by default. However, environments that enabled RDS and exposed it poorly face higher risk, especially if authentication has been disabled or weakened.

The practical concern is simple. A development feature designed for server management can become a direct attack surface when it faces the internet or runs with unsafe access controls.

Exploitation began quickly after disclosure

Security reporting indicates that exploitation attempts began soon after public technical details appeared. Help Net Security reported that KEVIntel sensors detected exploitation attempts on July 2, minutes after watchTowr published its technical analysis.

The same report said administrators should look for unauthorized files in ColdFusion web root and CFIDE directories if servers were internet-facing during the exposure window.

That timeline shows why CISA moved quickly. When a maximum-severity bug affects a web-facing enterprise platform, attackers can scan, test, and automate attempts before many organizations finish normal patch validation.

What CISA requires federal agencies to do

The Known Exploited Vulnerabilities catalog lists CVE-2026-48282 with active exploitation and a July 10 due date. Federal civilian agencies must apply vendor guidance and follow BOD 26-04 requirements.

CISA also points agencies to forensic triage requirements. That means affected teams should not only patch, but also check whether attackers already reached vulnerable systems.

Private organizations do not face the same federal deadline, but the catalog remains a strong prioritization signal. For exposed ColdFusion servers, the practical deadline is immediate.

What administrators should check now

Administrators should first identify every ColdFusion instance, including development, staging, legacy, and cloud-hosted servers. Many organizations miss older ColdFusion systems because they support internal tools or forgotten business workflows.

Teams should then verify patch levels, exposure, RDS status, and signs of compromise. The CVE record confirms the affected version range and the no-user-interaction attack condition, which makes exposed instances a priority.

Security teams should prioritize these actions:

  • Upgrade ColdFusion 2025 to Update 10 or later.
  • Upgrade ColdFusion 2023 to Update 21 or later.
  • Disable RDS if it is not required.
  • Restrict ColdFusion management and development endpoints to trusted networks.
  • Review web root, CFIDE, upload, and temporary directories for unexpected files.
  • Check ColdFusion, web server, EDR, and reverse proxy logs for unusual requests.
  • Rotate credentials and secrets if the server shows signs of compromise.
  • Update supported Java runtimes used by ColdFusion.

What defenders should hunt for

Attackers exploiting ColdFusion flaws often try to place files where the web server can execute or retrieve them. They may also attempt web shell deployment, credential theft, reconnaissance, or lateral movement after initial access.

Defenders should review requests tied to RDS paths, file operations, unexpected uploads, unusual POST activity, and requests that reach ColdFusion administrative or development components. watchTowr’s analysis gives defenders useful context for understanding the RDS-related exposure pattern without treating the issue as a normal web bug.

Incident responders should also look for suspicious child processes, new scheduled tasks, recently modified ColdFusion files, outbound command-and-control traffic, and attempts to read configuration files that may contain secrets.

Why this ColdFusion warning matters

ColdFusion servers often sit at the edge of enterprise environments because they power business applications, customer portals, administrative tools, and legacy workflows. That makes them attractive targets for attackers looking for reliable access.

Help Net Security noted that ColdFusion vulnerabilities have seen repeated attacker interest over the years, which raises the stakes for any internet-facing deployment that remains unpatched.

The safest approach is to patch immediately, remove unnecessary RDS exposure, and assume exposed vulnerable servers need investigation, not only remediation. With active exploitation confirmed, delayed action increases the risk of web shell deployment, data theft, and deeper network compromise.

FAQ

What is CVE-2026-48282?

CVE-2026-48282 is a critical Adobe ColdFusion path traversal vulnerability that can lead to arbitrary code execution. Adobe rates it as CVSS 10.0.

Which ColdFusion versions are affected by CVE-2026-48282?

The vulnerability affects Adobe ColdFusion 2025 Update 9 and earlier and Adobe ColdFusion 2023 Update 20 and earlier.

Has CVE-2026-48282 been exploited in attacks?

Yes. Adobe says CVE-2026-48282 has been exploited in limited attacks, and CISA added the flaw to its Known Exploited Vulnerabilities catalog.

How can administrators fix CVE-2026-48282?

Administrators should install ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21, disable RDS if it is not needed, restrict access to management and development endpoints, and hunt for signs of compromise on exposed servers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages