Adobe ColdFusion CVE-2026-48282 Hits CISA KEV: Patch RDS RCE

Adobe says CVE-2026-48282 has been exploited in limited ColdFusion attacks. Patch ColdFusion 2025/2023, restrict RDS, and hunt for unauthorized files.

Adobe ColdFusion administrators have a short patch window for CVE-2026-48282, a critical path traversal flaw that Adobe says has already been exploited in limited attacks against ColdFusion servers.[1] CISA added the bug to its Known Exploited Vulnerabilities catalog on July 7, 2026, with a July 10 remediation deadline for federal agencies, which is a useful urgency signal for private operators too.[2]

The issue affects ColdFusion 2025 Update 9 and earlier and ColdFusion 2023 Update 20 and earlier. Adobe fixed it in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21 as part of APSB26-68, a broader bulletin that also covers several other critical code-execution and file-access vulnerabilities.[1] NVD lists CVE-2026-48282 as a CVSS 10.0 vulnerability that can lead to arbitrary code execution without user interaction.[3]

What ColdFusion teams should check now

The practical risk is not just that ColdFusion had another severe bug. The dangerous combination is an exposed ColdFusion server, vulnerable builds, and Remote Development Services behavior that can turn file-path abuse into file write or code execution. Help Net Security reported that exploitation attempts were detected on July 2, shortly after watchTowr published technical analysis of the ColdFusion patch set.[4]

There is an important deployment nuance: watchTowr and follow-up reporting describe RDS as not enabled by default, and exploitation of the RDS path appears to require RDS to be enabled with weak or disabled authentication.[4][5] That does not make the bug safe. It means responders should treat internet-facing ColdFusion servers as an exposure question first, then a patch question, then a hunt question.

Start by inventorying ColdFusion 2025 and 2023 systems, especially servers reachable from the internet or from partner/VPN networks. Patch to the fixed update branch, restart services as required by your ColdFusion deployment, and confirm that the running build actually changed. If RDS is not needed in production, disable it. If a business case exists, restrict it to trusted administrator hosts and verify authentication is enforced.

For exposed systems, do not stop at version checks. Review web roots and ColdFusion application directories for recently created or modified .cfm, .cfc, .jsp, .war, and other unexpected server-side files. Pay particular attention to /CFIDE/, ColdFusion web-root paths, upload directories, and any paths that should never receive developer tooling requests. The same defensive pattern applies to other exploited web-app RCE stories, including recent Joomla page-builder upload flaws and FortiSandbox RCE bugs: patching closes the door, but hunting tells you whether someone already walked through it.

ColdFusion administrators should also review web server access logs, ColdFusion logs, and endpoint telemetry for suspicious requests to RDS or CFIDE paths, unexplained file-write activity, new service-account child processes, and outbound connections from the ColdFusion service account. If you find an unexpected server-side file, preserve evidence before deleting it, rotate application and database credentials that the ColdFusion host could access, and check whether the server had a route to internal databases, file shares, or identity systems.

This is also a good moment to revisit older ColdFusion exposure assumptions. HowToFix covered exploited ColdFusion vulnerabilities in 2023, and the recurring pattern is familiar: an enterprise application server with legacy management surfaces becomes a high-value foothold. Even if RDS is off by default, production systems often carry years of configuration drift, test-era settings, and forgotten admin conveniences.

The shortest safe plan is clear: update to ColdFusion 2025 Update 10 or 2023 Update 21, disable or tightly restrict RDS, review CFIDE exposure, hunt for unauthorized files and service-account activity since at least July 2, and rotate secrets if compromise cannot be ruled out.

References

  1. Adobe Security Bulletin APSB26-68, “Security update available for Adobe ColdFusion,” published June 30 and updated July 7, 2026. Adobe.
  2. CISA Known Exploited Vulnerabilities Catalog entry for Adobe ColdFusion CVE-2026-48282, added July 7, 2026. CISA.
  3. NVD entry for CVE-2026-48282, Adobe ColdFusion path traversal vulnerability. NVD.
  4. Zeljka Zorz, “Attackers exploit critical Adobe ColdFusion vulnerability (CVE-2026-48282),” July 7, 2026. Help Net Security.
  5. watchTowr Labs, “It’s 37oC, And All We Can Think About Is ColdFusion,” July 2, 2026. watchTowr Labs.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

Leave a Comment