CVE-2026-48282: Unauthenticated Path Traversal and Arbitrary File Write in Adobe ColdFusion Remote Development Services
Vulnerability ID: CVE-2026-48282
CVSS Score: 10.0
Published: 2026-06-30
CVE-2026-48282 is a critical unauthenticated path traversal and arbitrary file write vulnerability in the Remote Development Services (RDS) component of Adobe ColdFusion. The vulnerability allows a remote, unauthenticated attacker to bypass directory boundaries and write arbitrary files, including CFML-based web shells, onto the host server. This flaw is actively exploited in the wild and enables full unauthenticated remote code execution under the privileges of the ColdFusion service account.
TL;DR
A critical unauthenticated path traversal vulnerability in Adobe ColdFusion RDS permits arbitrary file writes to the local filesystem, leading directly to unauthenticated remote code execution.
⚠️ Exploit Status: ACTIVE
Technical Details
- CWE ID: CWE-22
- Attack Vector: Network (Unauthenticated)
- CVSS Score: 10.0
- EPSS Score: 0.01021 (Percentile: 59.24%)
- Impact: Remote Code Execution (RCE) / Arbitrary File Write
- Exploit Status: Active / Weaponized
- KEV Status: Listed (July 7, 2026)
Affected Systems
- Adobe ColdFusion 2025
- Adobe ColdFusion 2023
Exploit Details
- GitHub: Functional Proof of Concept script executing unauthenticated file write on vulnerable ColdFusion deployments
- GitHub Labs: Lab validation and incident triage reports demonstrating detection strategies
Mitigation Strategies
- Disable Remote Development Services (RDS) completely
- Enable strong password authentication for RDS if it must remain active
- Configure network Access Control Lists (ACLs) to restrict access to /CFIDE/ to trusted IPs only
Remediation Steps:
- Apply Adobe Security Bulletin APSB26-68 immediately.
- For ColdFusion 2025, upgrade to Update 10 or later.
- For ColdFusion 2023, upgrade to Update 21 or later.
- Verify that the RDS feature is disabled in production environments by checking the administrative console under Security > RDS.
References
- Adobe Security Bulletin APSB26-68
- watchTowr Labs Deep Dive Analysis
- CISA Known Exploited Vulnerabilities Catalog
Read the full report for CVE-2026-48282 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)