| KEY DETAILS | |
| EVENT DATE | June 30, 2026 (Initial public disclosure and security advisory release) |
| INDUSTRY SECTOR | Government,, Healthcare, Multi-Sector |
| DELIVERY | External Vulnerability: Remote, unauthenticated network access targeting exposed Remote Development Services (RDS) endpoints. Specifically utilizes HTTP POST requests directed at /CFIDE/main/ide.cfm with the ACTION=FILEIO parameter. |
| EXPLOITATION | Path Traversal (CWE-22) / Arbitrary File Write |
| INSTALLATION | Web Shell Deployment & Binary Masquerading: The attacker targets the server’s web root directory to drop a malicious ColdFusion Markup Language (.cfm or .cfc) script. The server automatically compiles and executes this shell upon a subsequent HTTP request. |
| COMMAND & CONTROL | Web Traffic & Reverse Tunnels to establish outbound proxy connections to external Cobalt Strike Command and Control (C2) servers |
| ACTIONS ON OBJECTIVES | Credential Harvesting and Configuration Theft, Persistence & Lateral Movement, Ransomware Deployment |
Executive Summary
On June 30, 2026, Adobe released security advisory APSB26-68, which addressed a maximum-severity path traversal vulnerability, designated as CVE-2026-48282, within the Remote Development Services (RDS) FILEIO handler of Adobe ColdFusion. The flaw stems from an input validation failure in the FileServlet component, where user-supplied path strings are processed via getFile(filename) without path canonicalization, check-to-root validation, or sanitization of dot-dot-slash traversal sequences. This allows an unauthenticated, remote attacker to gain an arbitrary file write primitive. By targeting the web root directory, threat actors can upload malicious ColdFusion Markup Language (CFML) files to achieve unauthenticated remote code execution (RCE) under the security authority of the ColdFusion service account.
Weaponization of the vulnerability occurred rapidly following a patch analysis published by researchers on July 2, 2026, leading to immediate in-the-wild exploitation attempts detected by honeypots. Threat actors utilize these access methods to harvest credentials, modify application infrastructure, and deploy persistent backdoors or tunneling tools. Due to active targeting, CISA added CVE-2026-48282 to its KEV Catalog on July 7, 2026. Remediation requires upgrading instances to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21, which introduces secure canonicalization via RdsFileSecurity.resolveCanonical and file type blacklists. Temporary workarounds include manually disabling the RDSServlet mapping within the web.xml deployment descriptor and implementing strict Java serialization filters.
Threat Overview and Strategic Impact
Adobe has released critical security updates for ColdFusion versions 2025 (Update 9 and earlier) and 2023 (Update 20 and earlier) to address severe vulnerabilities that pose a significant risk to organizational infrastructure. These flaws include unrestricted file uploads, improper input validation, and path traversal issues, several of which carry a maximum CVSS base score of 10.0. If exploited, these vulnerabilities could allow an unauthenticated, remote attacker to achieve arbitrary code execution, privilege escalation, arbitrary file system reads, and security feature bypasses. While Adobe is currently unaware of any active exploits in the wild, the high severity of these issues means that unpatched ColdFusion servers are highly susceptible to full system compromise, potentially leading to unauthorized data access and loss of control over the affected environment.
Security Hardening and Recommendations
To mitigate these threats, Adobe strongly recommends administrators immediately apply the latest patches—ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21—which are categorized with a Priority 1 rating. Beyond patching, organizations should engage in rigorous security hardening by updating their ColdFusion JDK/JRE LTS to the latest release and implementing the security configuration settings detailed in the ColdFusion Lockdown guides. Crucially, administrators must configure updated serial filters to protect against insecure deserialization attacks; for JEE installations (such as Tomcat, WebLogic, or WildFly), this requires adding specific -Djdk.serialFilter exclusion flags to the application server’s startup file. Finally, it is highly recommended to use the latest MySQL Java connector to further secure database communications.
Detection Strategy
Because there are no known active exploits, a proactive detection strategy must focus on monitoring for the types of attacks described in the bulletin. Security operations teams should configure Web Application Firewalls (WAF) and Intrusion Detection Systems (IDS) to inspect inbound traffic for anomalous patterns indicative of path traversal, improper input validation, and unauthorized file upload attempts targeting ColdFusion endpoints. Additionally, endpoint detection and response (EDR) solutions and server logs should be continuously monitored for suspicious post-exploitation activities, such as unexpected child processes spawning from the ColdFusion service, unauthorized arbitrary file system reads, or anomalous execution of system commands that could signify successful arbitrary code execution.
How Deepwatch Protects Our Customers
Deepwatch experts actively monitor available telemetry for anomalous process behaviors, specifically looking for obfuscation or execution. Our Detection Engineers have deployed behavioral signatures targeting unauthorized modification attempts to Adobe Coldfusion and file based persistence mechanisms. We also monitor customer environments for connections routing over anomalous protocols and creation of unexpected executable applications. The Threat Intelligence team is actively collecting and analyzing available IOCs for this campaign to further improve our detection capabilities.
Relevant Detections
Please visit Security Center to access the relevant detections for this activity.
Threat Object Mapping
Intrusion Set:
- N/A
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | Exploit Public-Facing Application | T1190 | Exploiting unauthenticated ColdFusion endpoints to gain initial access to the server. |
| Persistence / Privilege Escalation | Server Software Component: Web Shell | T1505.003 | Uploading malicious web scripts (e.g., .cfm, .jsp) via unrestricted file upload vulnerabilities. |
| Execution | Command and Scripting Interpreter | T1059 | Achieving arbitrary code execution through the compromised ColdFusion service. |
| Execution | Command and Scripting Interpreter: PowerShell | T1059.001 | Executing malicious PowerShell commands on compromised Windows servers. |
| Execution | Command and Scripting Interpreter: Windows Command Shell | T1059.003 | Executing batch scripts or cmd.exe commands on compromised Windows servers. |
| Execution | Command and Scripting Interpreter: Unix Shell | T1059.004 | Executing shell commands (e.g., bash, sh) on compromised Linux/Unix servers. |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | Exploiting improper input validation or path traversal vulnerabilities to elevate system privileges. |
| Collection | Data from Local System | T1005 | Reading arbitrary local files (e.g., configuration files, credentials) via path traversal vulnerabilities. |
| Defense Evasion | Impair Defenses | T1562 | Bypassing security features utilizing Server-Side Request Forgery (SSRF). |
| Collection / Initial Access | Browser Session Hijacking / Drive-by Compromise | T1185 / T1189 | Exploiting Reflected Cross-site Scripting (XSS) to compromise user sessions or browsers. |
Vulnerabilities:
- CVE-2026-48282 Adobe released security advisory APSB26-68, which addressed a maximum-severity path traversal vulnerability within the Remote Development Services (RDS) FILEIO handler of Adobe ColdFusion.
Malware/Tool:
- A non-weaponized PoC has been shared publicly https://github.com/imbas007/CVE-2026-48282
Appendix A:Related OSINT
- https://helpx.adobe.com/hu/security/products/coldfusion/apsb26-68.html
- https://www.resecurity.com/blog/article/cve-2026-48282-adobe-coldfusion-rds-path-traversal-leading-to-rce
- https://www.securityweek.com/critical-adobe-coldfusion-vulnerability-exploited-in-attacks
- https://www.helpnetsecurity.com/2026/07/07/adobe-coldfusion-cve-2026-48282-exploitation-detected/
- https://www.cisa.gov/news-events/alerts/2026/07/07/cisa-adds-one-known-exploited-vulnerability-catalog
- https://labs.watchtowr.com/its-37oc-and-all-we-can-think-about-is-coldfusion-adobe-coldfusion-security-bulletin-apsb26-68-cve-bonanza/
Appendix B: Observables
| Observables | Purpose / Source |
| HTTP POST requests to /CFIDE/main/ide.cfm or /CFIDE/main/websocket.cfm generating a 200 OK status from external IPs. | IIS W3C Logs / Apache Access Logs |
| HTTP POST requests containing the specific URL query parameter ACTION=FILEIO. | WAF / Reverse Proxy Logs |
| Inbound HTTP POST requests to the /CFIDE/ path carrying a Content-Type: application/x-ColdFusionIDE header. | WAF / Reverse Proxy Logs |
| Web connections utilizing the specific legacy User-Agent string Dreamweaver-RDS-SCM1.00. | WAF / Web Server Logs |
| Request URIs or raw POST bodies containing path traversal strings: ../, ..\\, %2e%2e%2f, or %2e%2e%5c. | WAF / IPS Telemetry |
| Post bodies matching length-prefixed RPC structures (e.g., fields starting like 4:000046:) containing operators like WRITE, READ, or CF_DIRECTORY. | WAF Packet Inspection |
| Subsequent HTTP GET requests targeting newly observed or unfamiliar .cfm or .cfc scripts in web-accessible directories. | IIS W3C Logs / Apache Access Logs |
| Creation of unexpected executable application files—specifically .cfm, .cfc, .jsp, or .class extensions—inside the /cfusion/wwwroot/ directory. | File Integrity Monitoring (FIM) / EDR |
| Brief appearance or creation of validation tracking files, such as .probe_12345.txt or similar arbitrary text documents, inside application directories. | System File System Auditing / EDR |
| Unexpected deployment of standalone binaries (e.g., rs64c.exe) inside non-administrative application folders like C:\ProgramData\. | File Integrity Monitoring (FIM) / EDR |
| Rogue executable files masquerading as legitimate system services (e.g., svchost.exe) saved outside normal system directories, specifically inside C:\ProgramData\. | Endpoint Detection & Response (EDR) |
| Unexpected file access or read operations targeting core configuration files, explicitly including the neo-security.xml file. | OS File Access Auditing |
| The core ColdFusion JVM process (coldfusion.exe or java.exe running CF classes) spawning command line interpreters like cmd.exe or powershell.exe. | EDR Process Telemetry |
| Outbound network connections initiated by deployed tunneling utilities or the ColdFusion service account routing to external Cobalt Strike Command and Control (C2) infrastructure. | Network Firewall / EDR Network Logs |
Share