ColdFusion CVE-2026-48282 exploited: 3-day KEV deadline, patch to Update 10/21
Contents
TL;DR
What happened Adobe ColdFusion 2025 Update 9 and earlier, and 2023 Update 20 and earlier. CVE-2026-48282 is a path traversal (reading and writing files outside the intended directory) that reaches RCE (remote code execution), rated CVSS 10.0. Exploitation requires RDS enabled with RDS authentication disabled
What to do Update to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21. Added to CISA KEV (Known Exploited Vulnerabilities catalog) on July 7, 2026; the July 10 due date has already passed
What to grep Requests to RDS FILEIO endpoints, ../ and URL-encoded traversal sequences, unfamiliar CFM/JSP files created by the ColdFusion process, outbound connections after configuration file reads
Adobe ColdFusion’s CVE-2026-48282 entered the CISA KEV catalog on July 7, 2026.
Adobe’s APSB26-68 bulletin had been public since June 30, and an early-July revision stated the flaw was “exploited in limited attacks.”
The KEV due date was July 10, which gave US federal agencies three days from the addition.
As I write this on July 11, that deadline has already passed.
Affected: ColdFusion 2025 Update 9 and earlier, and ColdFusion 2023 Update 20 and earlier.
Fixed builds are Update 10 and Update 21.
2025 and 2023 are not old-versus-new; they are separately supported release lines, and each gets its own patch.
| Release line | Vulnerable | Fixed |
|---|---|---|
| ColdFusion 2025 | Update 9 and earlier (2025.9 and below) | Update 10 |
| ColdFusion 2023 | Update 20 and earlier (2023.20 and below) | Update 21 |
In NVD, CVE-2026-48282 on its own is a CWE-22 path traversal rated 10.0 CRITICAL on CVSS (Common Vulnerability Scoring System) 3.1.
The score has not moved since the June 30 publication. The July 7 KEV addition put confirmed exploitation on top of it.
As I wrote in the NIST NVD priority-triage post, CISA KEV is not a list of theoretically dangerous flaws — it lists vulnerabilities with confirmed in-the-wild exploitation.
The RDS FILEIO handler breaks out of directory boundaries
According to the Akamai and watchTowr analyses, the attacker sends a crafted HTTP request to ColdFusion’s RDS FILEIO handler (/CFIDE/main/ide.cfm?ACTION=FILEIO).
RDS stands for Remote Development Services, a development feature that lets IDEs such as Dreamweaver read and write files on a remote ColdFusion server. FILEIO handles the file I/O part of that.
When path normalization and directory boundary checks fail there, an attacker can use traversal sequences like ../ to read and write files outside the intended working directory.
There are preconditions for this route, though.
watchTowr’s analysis lists RDS being enabled (off by default in production-type installs) with RDS authentication disabled.
Despite the CVSS 10.0, a default configuration does not meet the exploitation requirements. The servers actually exposed are the ones that kept development RDS running in production with authentication turned off.
Read-only access stops at leaking configuration files and application code.
For this CVE, though, Adobe and NVD describe it as reaching arbitrary code execution.
Akamai lays out the path: with read/write via RDS FILEIO, writing a CFM file into a web-reachable location leads to code execution on the server.
flowchart TD
A["Precondition: RDS enabled (default off)<br/>and RDS auth disabled"] --> B["Crafted HTTP request<br/>/CFIDE/main/ide.cfm?ACTION=FILEIO"]
B --> C["Path normalization flaw<br/>../ breaks the directory boundary"]
C --> D1["Write CFM into web-exposed area"]
C --> D2["Read config files<br/>neo-datasource.xml etc."]
D1 --> E["RCE via the planted CFM"]
D2 --> F["Steal DB credentials and API keys"]
Right after watchTowr published its technical analysis, honeypots picked up traffic attempting exploitation — real-world abuse followed the write-up quickly.
ColdFusion servers linger in old internal business applications and integration layers.
Beyond internet-facing admin consoles, include ColdFusion instances inside VPNs, on partner-facing intermediate servers, and in old form-processing backends in the check.
The short KEV deadline reflects CISA’s judgment that attackers are already hunting for exactly those machines.
Compromise traces survive the update
APSB26-68 directs users to ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.
The same advisory contains several other CVSS 10.0 arbitrary code execution flaws besides CVE-2026-48282.
CVE-2026-48282 is the one that entered KEV, but in practice the whole of APSB26-68 is what you apply.
After updating, review RDS FILEIO access logs, traversal sequences, unfamiliar CFM/JSP files created by the ColdFusion process, configuration file reads, and outbound connections.
If data source settings, API keys, or admin credentials may have been read, also rotate the credentials for application databases, connected APIs, and admin accounts.
The Joomla JCE KEV post covered how rogue profiles and PHP files survive the patch.
Same with ColdFusion: closing the entry point still leaves deleting planted CFM/JSP files and invalidating stolen credentials as separate work.
Split the “update ticket” from the “compromise check ticket” and the second one tends to slip.
Joomla and Langflow entries landed in KEV the same day
The original DEV Community article covers not just ColdFusion but also the two Joomla-related entries and one Langflow entry added to KEV at the same time.
Per The Hacker News, the four additions are CVE-2026-48282, Joomlack Page Builder’s CVE-2026-56290, Langflow’s CVE-2026-55255, and JoomShaper SP Page Builder’s CVE-2026-48908.
| CVE | Vendor/Product | Vulnerability type | Exploitation entry point |
|---|---|---|---|
| CVE-2026-48282 | Adobe ColdFusion | Path traversal (CWE-22) → RCE | RDS enabled with RDS auth disabled |
| CVE-2026-56290 | Joomlack Page Builder | Improper access control (CWE-284) → RCE | Unauthenticated file upload |
| CVE-2026-55255 | Langflow | Authorization bypass (CWE-639, IDOR) | Authenticated user supplies another user’s flow ID |
| CVE-2026-48908 | JoomShaper SP Page Builder | Dangerous file type upload (CWE-434) | Unauthenticated PHP file upload |
All four share the July 7, 2026 addition date and the July 10, 2026 due date.
The source article groups the four under “Supply Chain Exploitation,” but the contents differ.
ColdFusion is an RCE in a business application platform, the Joomla entries are file upload and PHP execution in CMS extensions, and Langflow is an authorization boundary problem in an AI workflow tool — the servers, logs, and leftover files you check are different for each.
For Langflow, separate reporting describes an attack chaining a cross-tenant IDOR (an authorization flaw that lets one user reference another user’s resource IDs) with an RCE.
The newly added CVE-2026-55255 is the IDOR half; the RCE is CVE-2026-33017, which entered KEV earlier. Real attacks chain the two.
Reports go as far as theft of LLM provider keys and AWS keys, so if you expose an AI orchestration tool, check those servers separately from ColdFusion.
This is close to the LiteLLM CISA KEV RCE.
In both cases, the external service keys held by the gateway or workflow tool are part of the impact.
What to check, in order
First, reconcile your server list against live machines for ColdFusion 2025 Update 9 or earlier, or ColdFusion 2023 Update 20 or earlier.
Even where a WAF (Web Application Firewall — a layer that inspects HTTP requests and blocks attack patterns) or a fronting proxy stops known patterns, apply Adobe’s Update 10/21.
Akamai says the same: WAF rules can block known patterns, but the vendor patch is the final defense.
Next, check whether RDS-related functionality is reachable from outside or from trusted networks.
Even with no internet exposure, treat reachability from VPNs, jump hosts, CI/CD networks, or partner-facing servers as an attack path.
In logs, look for strings like ../, ..%2f, ..%5c, WEB-INF, cfusion, lib, and neo-datasource.xml.
If you find a suspicious file, keep a copy and its timestamps before deleting anything.
Check the web root, ColdFusion application directories, temp directories, and deployment targets for recently created CFM/JSP files.
Also check whether the ColdFusion process spawned child processes like cmd.exe, powershell.exe, sh, curl, or wget.
Finally, rotate every credential ColdFusion can read.
That covers database connections, LDAP, SMTP, S3-compatible storage, internal APIs, and batch integration tokens.
References
- DEV Community: CISA KEV Additions: Adobe ColdFusion RCE & Supply Chain Exploitation
- Adobe Security Bulletin APSB26-68
- NVD: CVE-2026-48282
- CISA Known Exploited Vulnerabilities JSON
- Akamai: CVE-2026-48282: Mitigating a Critical Vulnerability in Adobe ColdFusion
- watchTowr: Adobe ColdFusion Security Bulletin APSB26-68 CVE Bonanza
- The Hacker News: CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV