CISA Flags Actively Exploited Adobe ColdFusion RCE (CVE-2026-48282, CVSS 10.0)

július 13, 2026 • César Daniel Barreto

On July 7, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a maximum-severity Adobe ColdFusion vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning that it is being exploited in the wild. Tracked as CVE-2026-48282 and rated CVSS 10.0, the flaw lets an unauthenticated attacker achieve remote code execution — and federal agencies were given only until July 10 to patch under Binding Operational Directive 26-04.

Path traversal in the RDS handler, leading to unauthenticated RCE

CVE-2026-48282 is an improper path-limitation flaw (CWE-22) in ColdFusion’s Remote Development Services (RDS) FILEIO handler. Because the handler fails to properly validate paths, an unauthenticated attacker can write arbitrary files anywhere on the server’s file system — including the web root. Dropping a malicious file into a web-accessible directory turns that file-write into full, unauthenticated remote code execution. No login and no user interaction are required, which is exactly why it earns a perfect 10.0.

Patched June 30, exploited by July 7

Adobe shipped fixes on June 30, 2026 for the ColdFusion 2023 and 2025 release lines. One week later, CISA confirmed active exploitation and added the CVE to KEV with a three-day remediation deadline. That compressed timeline is a signal in itself — CISA reserves the tightest windows for bugs being weaponized right now. ColdFusion also has a long history of being targeted: its RCE flaws are a recurring favorite of ransomware operators and initial-access brokers.

What to do now

If you run Adobe ColdFusion 2023 or 2025, apply the June 30 security updates immediately. Beyond patching, Remote Development Services should never be exposed to the internet: disable RDS in production if it is not needed, and restrict access to ColdFusion administration interfaces. Because exploitation is unauthenticated and leads directly to code execution, treat any internet-facing ColdFusion server that stayed unpatched after June 30 as potentially compromised, and hunt for unexpected files in web-accessible directories.

César Daniel Barreto, Cybersecurity Author at Security Briefing

César Dániel Barreto

César Daniel Barreto elismert kiberbiztonsági író és szakértő, aki mélyreható ismereteiről és képességéről ismert, hogy egyszerűsítse a bonyolult kiberbiztonsági témákat. Kiterjedt tapasztalattal rendelkezik a hálózatbiztonság és az adatvédelem terén, rendszeresen hozzájárul betekintő cikkekkel és elemzésekkel a legújabb kiberbiztonsági trendekről, oktatva mind a szakembereket, mind a nagyközönséget.

hu_HUHungarian