On June 30, 2026, Adobe patched CVE-2026-48282, a path traversal vulnerability in ColdFusion that carries a CVSS score of 10.0. Within under two hours of the CVE's public details being released, KEVIntel's honeypot network recorded the first in-the-wild exploitation attempt. CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on July 8 and set a Federal Civilian Executive Branch (FCEB) remediation deadline of July 10, one of the tightest deadlines in recent KEV history.
What the vulnerability does
CVE-2026-48282 is a path traversal vulnerability in Adobe ColdFusion. By sending a specially crafted HTTP request, a remote unauthenticated attacker can upload a malicious file to a web-accessible location on the server and achieve arbitrary code execution. The attack succeeds on servers where ColdFusion's Remote Development Services (RDS) interface is enabled with authentication disabled.
RDS is not enabled in the default ColdFusion configuration, which limits the scope of affected instances. However, RDS is a documented and commonly enabled feature in enterprise ColdFusion deployments, particularly in development environments that were later promoted to production without hardening review. Identifying whether your ColdFusion instances have RDS enabled is the first step before or alongside applying the patch.
The RDS problem is not new
ColdFusion has produced a vulnerability in CISA's KEV catalog every year since 2021. The pattern is consistent: path traversal or authentication bypass involving the RDS interface and file upload handling.
- CVE-2023-29298: ColdFusion access control bypass via URL manipulation.
- CVE-2023-38205: ColdFusion authentication bypass chained with CVE-2023-29298.
- CVE-2024-20767: ColdFusion improper access control exposing restricted files.
- CVE-2024-53961: ColdFusion path traversal that allowed arbitrary file reads.
CVE-2026-48282 continues the same pattern. The common thread across all five entries is the RDS interface and file handling: a subsystem that grants significant server-side capability and has been the entry point for attackers repeatedly. Patching individual CVEs addresses individual bugs; it does not change the underlying architecture that keeps producing them.
What you should do
- Patch immediately. ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10 both address CVE-2026-48282. Federal agencies under FCEB have until July 10.
- Audit RDS status. Check each ColdFusion instance for RDS enabled with authentication disabled. Disable RDS entirely if no development workflow requires it.
- Review the network perimeter. ColdFusion's RDS interface should not be internet-accessible. Restrict access to known IP ranges immediately if it is.
- Check for compromise indicators. Exploitation was observed within hours of disclosure. If your ColdFusion instance had RDS enabled and internet-accessible before patching, treat the server as potentially compromised and audit for webshells and unauthorized file changes.
The broader lesson from the ColdFusion KEV pattern is that some products require more than routine patch management. If your organization runs ColdFusion in a configuration that repeatedly exposes it to RDS vulnerabilities, the architectural question of whether to continue doing so is worth raising before the next CVE lands.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if your organization is navigating ColdFusion patching or legacy web application security hardening.