CISA Flags Actively Exploited Adobe ColdFusion RCE (CVE-2026-48282, CVSS 10.0)

7월 13, 2026 • César Daniel Barreto

On July 7, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a maximum-severity Adobe ColdFusion vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning that it is being exploited in the wild. Tracked as CVE-2026-48282 and rated CVSS 10.0, the flaw lets an unauthenticated attacker achieve remote code execution — and federal agencies were given only until July 10 to patch under Binding Operational Directive 26-04.

Path traversal in the RDS handler, leading to unauthenticated RCE

CVE-2026-48282 is an improper path-limitation flaw (CWE-22) in ColdFusion’s Remote Development Services (RDS) FILEIO handler. Because the handler fails to properly validate paths, an unauthenticated attacker can write arbitrary files anywhere on the server’s file system — including the web root. Dropping a malicious file into a web-accessible directory turns that file-write into full, unauthenticated remote code execution. No login and no user interaction are required, which is exactly why it earns a perfect 10.0.

Patched June 30, exploited by July 7

Adobe shipped fixes on June 30, 2026 for the ColdFusion 2023 and 2025 release lines. One week later, CISA confirmed active exploitation and added the CVE to KEV with a three-day remediation deadline. That compressed timeline is a signal in itself — CISA reserves the tightest windows for bugs being weaponized right now. ColdFusion also has a long history of being targeted: its RCE flaws are a recurring favorite of ransomware operators and initial-access brokers.

What to do now

If you run Adobe ColdFusion 2023 or 2025, apply the June 30 security updates immediately. Beyond patching, Remote Development Services should never be exposed to the internet: disable RDS in production if it is not needed, and restrict access to ColdFusion administration interfaces. Because exploitation is unauthenticated and leads directly to code execution, treat any internet-facing ColdFusion server that stayed unpatched after June 30 as potentially compromised, and hunt for unexpected files in web-accessible directories.

César Daniel Barreto, Cybersecurity Author at Security Briefing

세자르 다니엘 바레토

세자르 다니엘 바레토는 존경받는 사이버 보안 작가이자 전문가로, 복잡한 사이버 보안에 대한 심도 있는 지식과 복잡한 사이버 보안 주제를 단순화하는 능력으로 유명합니다. 네트워크 보안 및 데이터 보호에 대한 폭넓은 경험을 바탕으로 보안 및 데이터 보호 분야에서 폭넓은 경험을 쌓은 그는 정기적으로 최신 사이버 보안 트렌드에 대한 사이버 보안 트렌드에 대한 통찰력 있는 기사와 분석을 정기적으로 제공하고 있습니다.

ko_KRKorean