Adobe ColdFusion CVE-2026-48282: 800 Exposed Servers Under Active Attack

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Attackers hit internet-exposed ColdFusion servers within two hours of Adobe publicly disclosing CVE-2026-48282, a CVSS 10.0 path traversal vulnerability in Adobe ColdFusion's Remote Development Services that allows unauthenticated remote code execution on any accessible installation.
Adobe ColdFusion CVE-2026-48282 affects ColdFusion 2025 Update 9 and all earlier versions, and ColdFusion 2023 Update 20 and all earlier versions. Adobe disclosed the flaw on July 1, 2026 in security bulletin APSB26-68 alongside six other maximum-severity flaws across ColdFusion and Campaign Classic. Ryan Dewhurst, founder of KEVIntel, confirmed the first exploitation attempt within two hours of disclosure, with attack traffic sourced from IP address 103.207.14.220, geolocated to India, captured in KEVIntel's global honeypot network. CISA added CVE-2026-48282 to the Known Exploited Vulnerabilities catalog and set a federal patch deadline of July 10, 2026 -- today.
The vulnerability sits in ColdFusion's Remote Development Services (RDS) FILEIO handler, a legacy file-access component retained for compatibility with ColdFusion development tooling. The FILEIO endpoint processes user-controlled file paths without performing path canonicalization or directory boundary validation. An attacker sends a crafted HTTP POST request to the endpoint, supplies a path traversal sequence in the request body, and writes a malicious ColdFusion web shell to the server's web root. A follow-up HTTP GET to the shell URL executes arbitrary system commands with the privileges of the ColdFusion service account. The entire chain requires no credentials and no user interaction. Adobe rated it easy to exploit.
Shadowserver tracks approximately 800 internet-exposed ColdFusion instances globally. If your organization runs any ColdFusion version before the patched release, active exploitation of CVE-2026-48282 is already confirmed against internet-facing installations. The CISA patch deadline expires today.
How Does the Adobe ColdFusion CVE-2026-48282 Exploit Work?
CVE-2026-48282 exploits a path traversal flaw in ColdFusion's Remote Development Services FILEIO handler. RDS is a legacy ColdFusion component designed to give development tools remote access to the server file system for operations including file reads and writes. The FILEIO handler accepts file paths in its request body and passes them to the underlying OS file system API.
The root cause is the absence of path canonicalization. The unpatched FILEIO handler passes user-supplied file paths directly to the file system API without resolving traversal sequences (../ and ..), blocking absolute paths outside permitted directories, or stripping null-byte injection attempts. The patched version introduced canonical path resolution and explicit directory boundary enforcement.
An attacker exploits CVE-2026-48282 in four steps. First, probe the RDS endpoint by sending an HTTP request to /CFIDE/main/ide.cfm?ACTION=FILEIO to confirm it is accessible and unauthenticated. Second, send a crafted POST request with a path traversal payload in the request body to confirm arbitrary file write capability. Third, write a malicious CFML web shell (.cfm file) to a publicly accessible directory: the web root, /CFIDE/, or any directory under the ColdFusion document root. Fourth, access the dropped shell over HTTP to execute system commands.
The shell accepts commands via a URL parameter and returns output directly in the HTTP response. From that point, the attacker has interactive command execution with the permissions of the ColdFusion service account. In many default configurations, the ColdFusion service runs as a local administrator or domain account with broad file system access, making lateral movement and credential harvesting straightforward. The Canadian Centre for Cyber Security (CCCS) issued an independent advisory citing this same exploitation chain.
Exploitation requires RDS to be enabled on the target server. RDS is disabled by default on production ColdFusion deployments but enabled by default in development configurations. Any organization that deployed a development ColdFusion server to an internet-accessible network, or enabled RDS on a production server for remote development access, is directly exposed.
RDS Endpoint Probe
Attacker sends HTTP probe to /CFIDE/main/ide.cfm?ACTION=FILEIO to confirm the endpoint is reachable and requires no authentication
Path Traversal Write
Crafted POST request with ../ sequences in the body writes arbitrary files past directory boundary controls into the web root
Web Shell Deployed
Malicious .cfm web shell placed in /CFIDE/ or web root; accepts URL parameter commands and executes them via the cfexecute CFML tag
Command Execution and Pivot
Attacker issues system commands via GET request to shell URL, harvests credentials, establishes persistence, and pivots to internal network resources
Who Is at Risk? Scale of ColdFusion Exposure in 2026
Shadowserver's internet-scanning infrastructure tracks approximately 800 publicly accessible ColdFusion instances globally. These are servers that expose ColdFusion services directly to the open internet, not internal deployments protected by firewalls or VPNs. Any of these running ColdFusion 2025 Update 9 or earlier, or ColdFusion 2023 Update 20 or earlier, with RDS accessible to external IP addresses, faces confirmed active exploitation.
ColdFusion is deployed predominantly in enterprise sectors that adopted it during its peak years in the early 2000s: government agencies, higher education institutions, healthcare organizations, financial services firms, and large e-commerce operations. Many of these deployments run on aging infrastructure where patching cycles are slow, change control processes require extended lead times, and dependency on legacy applications complicates version upgrades. Those characteristics -- slow patching, internet-exposed services, legacy dependencies -- create exactly the conditions that make CVE-2026-48282 exploitable in practice.
Adobe has disclosed multiple maximum-severity ColdFusion vulnerabilities in rapid succession in 2026. CISA previously added a ColdFusion deserialization flaw to the KEV catalog in June 2026. CVE-2026-48282 joined the catalog within hours of disclosure. The back-to-back KEV additions indicate sustained attacker interest in ColdFusion infrastructure, not a one-off event.
Among the 800 tracked exposed instances, any server with RDS accessible from the internet and running an unpatched version is exposed to confirmed exploitation activity. For context on how a similar unauthenticated RCE in Joomla (CVE-2026-48907) was exploited against publicly exposed CMS installations this same week, see our Joomla unauthenticated RCE patch advisory.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
What Attackers Are Doing Right Now With CVE-2026-48282
KEVIntel's global honeypot network captured the first exploitation attempt against CVE-2026-48282 within two hours of Adobe releasing APSB26-68. The attack traffic originated from 103.207.14.220, an IP address geolocated to India with no prior registered threat reputation at time of discovery. Resecurity analysis confirmed the IP was operating as a scanning probe, testing the FILEIO endpoint across known ColdFusion IP ranges identified through public internet-scanning databases including Shodan and Censys.
The exploit chain observed in KEVIntel honeypots matched the sequence described in post-publication proof-of-concept analysis: an initial FILEIO probe, a path traversal write attempt targeting the web root, and a follow-up GET request to verify whether the write succeeded. Successful web shell placement was confirmed in the honeypot environment within the first contact window.
CISA's KEV addition confirms that exploitation extends beyond honeypot detections. CISA adds vulnerabilities to the KEV catalog only when it has evidence of real-world exploitation against actual production systems, not just proof-of-concept code or honeypot data. The parallel advisory from the Canadian Centre for Cyber Security indicates intelligence sharing between agencies confirmed active exploitation targeting operational government and enterprise systems in both countries.
The speed of exploitation follows a pattern documented across multiple prior Adobe ColdFusion vulnerabilities. In 2023, Chinese state-sponsored threat actors exploited ColdFusion deserialization vulnerabilities to deploy web shells across U.S. government networks. In 2017, CVE-2017-3066 was exploited for similar web shell deployment within days of disclosure. Any organization that has not validated its ColdFusion patch status against APSB26-68 should treat the installation as potentially compromised until forensic review confirms otherwise.
“Exploitation of CVE-2026-48282 was captured in the wild in under two hours from public disclosure.”
Ryan Dewhurst, KEVIntel Founder, via Security Affairs (July 2026)
Indicators of Compromise for CVE-2026-48282
The following artifacts indicate a ColdFusion server may have been compromised via CVE-2026-48282. Check all items before declaring a system clean. Web shells can persist for weeks after initial intrusion if post-compromise cleanup is not thorough.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
How to Patch Adobe ColdFusion CVE-2026-48282 Before the Weekend
Patching CVE-2026-48282 requires updating to the fixed ColdFusion release and confirming that RDS is either disabled or restricted to internal network access. Both steps are required; patching alone does not remediate any web shells already dropped by exploitation activity before the patch was applied.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Why Adobe ColdFusion CVE-2026-48282 Matters for Your Organization
CVE-2026-48282 is not a theoretical threat pending proof-of-concept code. Exploitation of Adobe ColdFusion CVE-2026-48282 began within two hours of disclosure and has been independently confirmed by KEVIntel honeypots, CISA's KEV catalog, and the Canadian Centre for Cyber Security.
ColdFusion's enterprise deployment profile makes the practical risk severe. Government agencies, healthcare systems, and financial institutions run ColdFusion-backed applications on production infrastructure where patching requires change control approval and scheduled maintenance windows. For organizations whose ColdFusion servers face the public internet and whose patch cycles run longer than 24 hours, the window between patch availability and exploitation has already closed. Those systems need immediate triage, not a scheduled patch cycle.
The CISA KEV deadline of July 10, 2026 applies to federal civilian executive branch agencies, but CISA routinely uses KEV designations as an industry-wide signal. When CISA sets a same-week deadline and the Canadian Centre for Cyber Security issues a parallel advisory, both agencies are communicating that confirmed exploitation is active and widespread enough to require emergency response across sectors.
The patch for CVE-2026-48282 is available now: ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21. Organizations that cannot patch before the weekend closes should disable RDS to eliminate the primary attack surface, block external access to /CFIDE/, and scan the web root for unauthorized .cfm files as an immediate mitigation. For additional context on the SharePoint RCE vulnerability CISA also added to KEV this week with the same July 10 deadline, see our SharePoint RCE CVE-2026-45659 advisory.
The bottom line
Adobe ColdFusion CVE-2026-48282 (CVSS 10.0) enables unauthenticated remote code execution via path traversal in the RDS FILEIO handler, with confirmed active exploitation starting within two hours of disclosure on July 1, 2026. More than 800 internet-exposed ColdFusion instances are trackable by public scanners. The CISA patch deadline is today. Patch to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21 before the weekend closes, disable RDS on any server that does not require it for active development, and scan your web root for .cfm files created after July 1.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2026-48282?
CVE-2026-48282 is a CVSS 10.0 path traversal vulnerability in Adobe ColdFusion's Remote Development Services FILEIO handler. It allows unauthenticated attackers to write arbitrary files to a ColdFusion server's file system and achieve remote code execution. Adobe patched it on July 1, 2026 in security bulletin APSB26-68. ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21 contain the fix.
Is CVE-2026-48282 being actively exploited?
Yes. The KEVIntel honeypot network captured in-the-wild exploitation of CVE-2026-48282 within two hours of Adobe's July 1, 2026 disclosure. Attack traffic originated from IP address 103.207.14.220, geolocated to India. CISA added CVE-2026-48282 to its Known Exploited Vulnerabilities catalog with a federal patch deadline of July 10, 2026. The Canadian Centre for Cyber Security issued an independent advisory confirming exploitation activity against operational systems.
Which versions of Adobe ColdFusion are affected by CVE-2026-48282?
Adobe ColdFusion 2025 Update 9 and all earlier versions are vulnerable. Adobe ColdFusion 2023 Update 20 and all earlier versions are vulnerable. ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21 contain the patch. ColdFusion 2021 and earlier versions are end-of-life and receive no security updates; any deployment on those versions should be treated as permanently vulnerable and migrated immediately.
What is the CISA patch deadline for CVE-2026-48282?
CISA set a patch deadline of July 10, 2026 for federal civilian executive branch agencies. That is today. CISA issues KEV deadlines based on confirmed active exploitation and the feasibility of applying available fixes. Private-sector organizations are not legally bound by KEV deadlines but should treat them as the maximum acceptable patch timeline given CISA's direct confirmation of ongoing exploitation.
Does RDS need to be enabled to be vulnerable to CVE-2026-48282?
Yes. CVE-2026-48282 requires that ColdFusion's Remote Development Services component is enabled and that RDS authentication is disabled or absent. RDS is disabled by default on production ColdFusion installations but enabled by default in development configurations. Organizations that deployed development servers to internet-accessible networks, or enabled RDS on production systems for remote access, are directly exposed. Disabling RDS eliminates the attack surface without requiring an immediate patch.
How do I know if my ColdFusion server has been compromised via CVE-2026-48282?
Review HTTP access logs for POST requests to /CFIDE/main/ide.cfm?ACTION=FILEIO from external IP addresses, especially 103.207.14.220. Search the web root and /CFIDE/ directory recursively for .cfm, .cfc, or .cfml files created or modified after July 1, 2026. Any file in a non-application directory, or any file accepting command execution via URL parameters, is a confirmed web shell requiring immediate isolation. Review ColdFusion Administrator logs for unexpected file write operations in web-accessible paths.
What should I do if I cannot patch Adobe ColdFusion before the weekend?
If patching is not immediately possible, take these steps in order: disable RDS in ColdFusion Administrator under Security > RDS to eliminate the primary attack surface; block all external HTTP access to the /CFIDE/ path at the web server or network perimeter; scan the file system for unauthorized .cfm files created after July 1, 2026; treat any internet-exposed ColdFusion server on an unpatched version as potentially compromised until forensic review is complete. Schedule the patch for the earliest available maintenance window.
What web shells are attackers deploying through CVE-2026-48282?
Post-disclosure analysis documented a minimal CFML web shell that accepts a system command via a URL parameter, executes it using the cfexecute tag, and returns the output in the HTTP response. The shell can be placed in any web-accessible directory and requires no special server configuration to operate. Search for .cfm files containing cfexecute, or cfscript blocks that reference URL parameter values as command inputs. Those patterns in a non-application file indicate a dropped web shell, not legitimate application code.
Sources & references
- BleepingComputer: Max severity Adobe ColdFusion flaw now exploited in attacks
- Adobe Security Bulletin APSB26-68
- CISA Known Exploited Vulnerabilities Catalog
- Resecurity: CVE-2026-48282 Adobe ColdFusion RDS Path Traversal Leading to RCE
- The Hacker News: CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV
- Security Affairs: Adobe ColdFusion flaw CVE-2026-48282 now exploited in the wild
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
