Home/ Blog/ Security news/ Article
Blog · Security news

Adobe ColdFusion is under active attack, but the max-severity rating overstates who is exposed

Adobe ColdFusion flaw CVE-2026-48282 (CVSS 10.0) is now exploited in the wild and in CISA KEV. Who is actually exposed, how to detect it, and what to patch.

A sealed metal cabinet with one seam prised open near the top

Adobe ColdFusion is under active attack. CISA placed CVE-2026-48282 on its Known Exploited Vulnerabilities list on July 7, 2026, a flaw rated at the very top of the severity scale. Adobe patched the bug on June 30. The gap between the fix and the first real-world exploitation was about two days. If you run ColdFusion where a developer feature called Remote Development Services is switched on and reachable, treat this as work for today.

We flagged this batch a week ago, when Adobe shipped the fixes and reported no known exploit. That post called the quiet a countdown, because ColdFusion has a long history of fast exploitation once a patch is public. The countdown has now run out for one of the flaws.

From patch to active exploitation in daysJun 30: Adobe patch. Jul 2: Public analysis. Jul 2: First exploited. Jul 7: Added to KEV.From patch to active exploitation in daysJun 30Adobe patchJul 2Public analysisJul 2First exploitedJul 7Added to KEV
Sources: Adobe APSB26-68, watchTowr Labs, Help Net Security, CISA KEV.

The timeline is the story. Adobe released the fix on June 30. On July 2, the research team at watchTowr Labs published a technical breakdown of several ColdFusion bugs from the bulletin. Within minutes, honeypot sensors run by threat-intelligence service KEVIntel logged exploitation attempts, according to Help Net Security. Five days later it was in the federal must-patch catalog. For ColdFusion, the publication of a technical write-up is now the starting gun for attacks, not a warning shot weeks ahead of them.

What the flaw actually does

CVE-2026-48282 is a path-traversal bug, scored CVSS 10.0, in ColdFusion's Remote Development Services (RDS). RDS is a feature that lets a developer's editor read and write files on a running ColdFusion server. The file handler behind it trusted the path supplied in a request without validating it, so a path containing directory-climbing sequences could point outside the folder RDS was meant to touch. An attacker can use that to write a file into the web root, place a ColdFusion script there, and have the server run it. That turns a file-write flaw into remote code execution on the host. watchTowr published a proof-of-concept; we are not reproducing it here.

Affected builds are ColdFusion 2025 up to Update 9 and ColdFusion 2023 up to Update 20, per the CVE record. Adobe fixed it in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21, in bulletin APSB26-68.

Who is actually exposed

Here is the part most of the coverage skips. A CVSS 10.0 reads as every ColdFusion server on the planet being one request from compromise. That is not quite the shape of this one. The vulnerable feature, RDS, is off by default. watchTowr's testing indicated that exploitation also needed RDS authentication to be disabled. So the practically exposed population is narrower: ColdFusion servers that have RDS enabled, left unauthenticated, and reachable from an untrusted network. That is a real and dangerous slice, common on developer-adjacent and older installs, but it is not everyone.

The reason to patch anyway is that this is one of several critical flaws in the same June 30 bulletin, RDS status drifts as servers get cloned and reconfigured, and you do not want your exposure resting on a single default holding. Confirm whether RDS is on and internet-facing, then close the CVE outright with the update.

How to tell if you were hit

Patching stops the next attempt. It says nothing about the window between June 30 and the day you patched, when an exposed server was reachable. If your ColdFusion instance had RDS open in that period, hunt before you assume you are clean. Signals worth checking:

  • External POST requests to the ColdFusion IDE endpoint at /CFIDE/main/ide.cfm, especially from addresses you do not recognize.
  • New .cfm or .cfc files in the web root that you did not deploy, the classic webshell drop.
  • The ColdFusion Java process spawning a command shell such as cmd.exe, powershell.exe, or /bin/sh, which it almost never does in normal operation.

File-integrity monitoring on the web root catches the webshell after the fact; a process-lineage alert on the ColdFusion service catches the command execution. Both belong in the detection stack for any internet-facing application server, not just for this week.

Patch today, then hunt the exposure window

The order of operations:

  • Update to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21 now. This is the fix.
  • Disable RDS on production servers unless a live workflow needs it. It is a development feature and has no place on an internet-facing production box.
  • Restrict access to the /CFIDE/ path at your reverse proxy or firewall, so the IDE endpoints are not reachable from the public internet.
  • Hunt the web root for unexpected script files and review access logs for the request pattern above, covering the days before you patched.

The recurring lesson from ColdFusion, and from every patched-but-already-breached story, is that the update and the investigation are two separate jobs. This flaw closed the patch-to-exploitation window in about two days. The next widely deployed server product will close it faster, and the honest assumption for anything internet-facing is that the write-up landing is the moment the clock starts. Adobe has said it is moving to twice-monthly bulletins because the discovery rate is climbing; plan your patch cadence for a world where the exploit follows the advisory in hours, not weeks.

Topics

Frequently asked questions

Is CVE-2026-48282 being actively exploited?

Yes. Researchers reported exploitation attempts on July 2, 2026, detected through honeypot sensors, and CISA added the flaw to its Known Exploited Vulnerabilities catalog on July 7. The observed attempts were consistent with testing the path-traversal bug; no ransomware use has been confirmed.

Which Adobe ColdFusion versions are affected and fixed?

ColdFusion 2025 through Update 9 and ColdFusion 2023 through Update 20 are affected. Adobe fixed the flaw in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21, released June 30, 2026 in bulletin APSB26-68. Upgrade to those builds to close it.

Is every ColdFusion server exploitable?

No. The flaw is in Remote Development Services (RDS), a developer feature that is off by default. According to watchTowr's analysis, practical exploitation required RDS enabled with authentication disabled and reachable over the network. Servers without exposed RDS face lower risk but should still patch.

What does CVE-2026-48282 let an attacker do?

It is a path-traversal flaw in the RDS file handler that lets an unauthenticated attacker write a file outside the intended directory. By writing a ColdFusion script into the web root, the attacker can run code on the server, a full remote compromise scored CVSS 10.0.

How do I detect exploitation of this ColdFusion flaw?

Watch for external POST requests to the ColdFusion IDE endpoint at /CFIDE/main/ide.cfm, unexpected new .cfm or .cfc files in the web root, and the ColdFusion process spawning a command shell such as cmd.exe or /bin/sh. File-integrity monitoring on the web root catches webshell drops.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.