Critical

CA-26-024 – Active Exploitation of Adobe ColdFusion Remote Development Services Path Traversal and Remote Code Execution (CVE-2026-48282)

By Adversary Tactics and Intelligence Team

Estimated Reading Time: 7 minutes

KEY DETAILS
EVENT DATEJune 30, 2026 (Initial public disclosure and security advisory release)
INDUSTRY SECTORGovernment,, Healthcare, Multi-Sector 
DELIVERY External Vulnerability: Remote, unauthenticated network access targeting exposed Remote Development Services (RDS) endpoints. Specifically utilizes HTTP POST requests directed at /CFIDE/main/ide.cfm with the ACTION=FILEIO parameter. 
EXPLOITATIONPath Traversal (CWE-22) / Arbitrary File Write
INSTALLATIONWeb Shell Deployment & Binary Masquerading: The attacker targets the server’s web root directory to drop a malicious ColdFusion Markup Language (.cfm or .cfc) script. The server automatically compiles and executes this shell upon a subsequent HTTP request.
COMMAND & CONTROLWeb Traffic & Reverse Tunnels to establish outbound proxy connections to external Cobalt Strike Command and Control (C2) servers
ACTIONS ON OBJECTIVESCredential Harvesting and Configuration Theft, Persistence & Lateral Movement, Ransomware Deployment

Executive Summary

On June 30, 2026, Adobe released security advisory APSB26-68, which addressed a maximum-severity path traversal vulnerability, designated as CVE-2026-48282, within the Remote Development Services (RDS) FILEIO handler of Adobe ColdFusion. The flaw stems from an input validation failure in the FileServlet component, where user-supplied path strings are processed via getFile(filename) without path canonicalization, check-to-root validation, or sanitization of dot-dot-slash traversal sequences. This allows an unauthenticated, remote attacker to gain an arbitrary file write primitive. By targeting the web root directory, threat actors can upload malicious ColdFusion Markup Language (CFML) files to achieve unauthenticated remote code execution (RCE) under the security authority of the ColdFusion service account.

Weaponization of the vulnerability occurred rapidly following a patch analysis published by researchers on July 2, 2026, leading to immediate in-the-wild exploitation attempts detected by honeypots. Threat actors utilize these access methods to harvest credentials, modify application infrastructure, and deploy persistent backdoors or tunneling tools. Due to active targeting, CISA added CVE-2026-48282 to its KEV Catalog on July 7, 2026. Remediation requires upgrading instances to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21, which introduces secure canonicalization via RdsFileSecurity.resolveCanonical and file type blacklists. Temporary workarounds include manually disabling the RDSServlet mapping within the web.xml deployment descriptor and implementing strict Java serialization filters.

Threat Overview and Strategic Impact

Adobe has released critical security updates for ColdFusion versions 2025 (Update 9 and earlier) and 2023 (Update 20 and earlier) to address severe vulnerabilities that pose a significant risk to organizational infrastructure. These flaws include unrestricted file uploads, improper input validation, and path traversal issues, several of which carry a maximum CVSS base score of 10.0. If exploited, these vulnerabilities could allow an unauthenticated, remote attacker to achieve arbitrary code execution, privilege escalation, arbitrary file system reads, and security feature bypasses. While Adobe is currently unaware of any active exploits in the wild, the high severity of these issues means that unpatched ColdFusion servers are highly susceptible to full system compromise, potentially leading to unauthorized data access and loss of control over the affected environment.

Security Hardening and Recommendations

To mitigate these threats, Adobe strongly recommends administrators immediately apply the latest patches—ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21—which are categorized with a Priority 1 rating. Beyond patching, organizations should engage in rigorous security hardening by updating their ColdFusion JDK/JRE LTS to the latest release and implementing the security configuration settings detailed in the ColdFusion Lockdown guides. Crucially, administrators must configure updated serial filters to protect against insecure deserialization attacks; for JEE installations (such as Tomcat, WebLogic, or WildFly), this requires adding specific -Djdk.serialFilter exclusion flags to the application server’s startup file. Finally, it is highly recommended to use the latest MySQL Java connector to further secure database communications.

Detection Strategy

Because there are no known active exploits, a proactive detection strategy must focus on monitoring for the types of attacks described in the bulletin. Security operations teams should configure Web Application Firewalls (WAF) and Intrusion Detection Systems (IDS) to inspect inbound traffic for anomalous patterns indicative of path traversal, improper input validation, and unauthorized file upload attempts targeting ColdFusion endpoints. Additionally, endpoint detection and response (EDR) solutions and server logs should be continuously monitored for suspicious post-exploitation activities, such as unexpected child processes spawning from the ColdFusion service, unauthorized arbitrary file system reads, or anomalous execution of system commands that could signify successful arbitrary code execution.

How Deepwatch Protects Our Customers

Deepwatch experts actively monitor available telemetry for anomalous process behaviors, specifically looking for obfuscation or execution. Our Detection Engineers have deployed behavioral signatures targeting unauthorized modification attempts to Adobe Coldfusion and file based persistence mechanisms. We also monitor customer environments for connections routing over anomalous protocols and creation of unexpected executable applications. The Threat Intelligence team is actively collecting and analyzing available IOCs for this campaign to further improve our detection capabilities.

Relevant Detections

Please visit Security Center to access the relevant detections for this activity.

Threat Object Mapping

Intrusion Set:

  • N/A

Attack Pattern (MITRE ATT&CK):

TacticTechniqueTechnique IDAssociated Threat Activity
Initial AccessExploit Public-Facing ApplicationT1190Exploiting unauthenticated ColdFusion endpoints to gain initial access to the server.
Persistence / Privilege EscalationServer Software Component: Web ShellT1505.003Uploading malicious web scripts (e.g., .cfm, .jsp) via unrestricted file upload vulnerabilities.
ExecutionCommand and Scripting InterpreterT1059Achieving arbitrary code execution through the compromised ColdFusion service.
ExecutionCommand and Scripting Interpreter: PowerShellT1059.001Executing malicious PowerShell commands on compromised Windows servers.
ExecutionCommand and Scripting Interpreter: Windows Command ShellT1059.003Executing batch scripts or cmd.exe commands on compromised Windows servers.
ExecutionCommand and Scripting Interpreter: Unix ShellT1059.004Executing shell commands (e.g., bash, sh) on compromised Linux/Unix servers.
Privilege EscalationExploitation for Privilege EscalationT1068Exploiting improper input validation or path traversal vulnerabilities to elevate system privileges.
CollectionData from Local SystemT1005Reading arbitrary local files (e.g., configuration files, credentials) via path traversal vulnerabilities.
Defense EvasionImpair DefensesT1562Bypassing security features utilizing Server-Side Request Forgery (SSRF).
Collection / Initial AccessBrowser Session Hijacking / Drive-by CompromiseT1185 / T1189Exploiting Reflected Cross-site Scripting (XSS) to compromise user sessions or browsers.

Vulnerabilities:

  • CVE-2026-48282 Adobe released security advisory APSB26-68, which addressed a maximum-severity path traversal vulnerability within the Remote Development Services (RDS) FILEIO handler of Adobe ColdFusion.

Malware/Tool:

Appendix A:Related OSINT 

Appendix B: Observables 

ObservablesPurpose / Source
HTTP POST requests to /CFIDE/main/ide.cfm or /CFIDE/main/websocket.cfm generating a 200 OK status from external IPs.IIS W3C Logs / Apache Access Logs
HTTP POST requests containing the specific URL query parameter ACTION=FILEIO.WAF / Reverse Proxy Logs
Inbound HTTP POST requests to the /CFIDE/ path carrying a Content-Type: application/x-ColdFusionIDE header.WAF / Reverse Proxy Logs
Web connections utilizing the specific legacy User-Agent string Dreamweaver-RDS-SCM1.00.WAF / Web Server Logs
Request URIs or raw POST bodies containing path traversal strings: ../, ..\\, %2e%2e%2f, or %2e%2e%5c.WAF / IPS Telemetry
Post bodies matching length-prefixed RPC structures (e.g., fields starting like 4:000046:) containing operators like WRITE, READ, or CF_DIRECTORY.WAF Packet Inspection
Subsequent HTTP GET requests targeting newly observed or unfamiliar .cfm or .cfc scripts in web-accessible directories.IIS W3C Logs / Apache Access Logs
Creation of unexpected executable application files—specifically .cfm, .cfc, .jsp, or .class extensions—inside the /cfusion/wwwroot/ directory.File Integrity Monitoring (FIM) / EDR
Brief appearance or creation of validation tracking files, such as .probe_12345.txt or similar arbitrary text documents, inside application directories.System File System Auditing / EDR
Unexpected deployment of standalone binaries (e.g., rs64c.exe) inside non-administrative application folders like C:\ProgramData\.File Integrity Monitoring (FIM) / EDR
Rogue executable files masquerading as legitimate system services (e.g., svchost.exe) saved outside normal system directories, specifically inside C:\ProgramData\.Endpoint Detection & Response (EDR)
Unexpected file access or read operations targeting core configuration files, explicitly including the neo-security.xml file.OS File Access Auditing
The core ColdFusion JVM process (coldfusion.exe or java.exe running CF classes) spawning command line interpreters like cmd.exe or powershell.exe.EDR Process Telemetry
Outbound network connections initiated by deployed tunneling utilities or the ColdFusion service account routing to external Cobalt Strike Command and Control (C2) infrastructure.Network Firewall / EDR Network Logs

Share

LinkedIn Twitter Facebook