CVE-2026-48282 Adobe ColdFusion RCE Exploited in 2 Hours

CVE-2026-48282 Adobe ColdFusion RCE

CVE-2026-48282 Adobe ColdFusion RCE is now the fastest-weaponized CVSS-10.0 flaw DIESEC has tracked in 2026: attackers began exploiting Adobe’s maximum-severity ColdFusion vulnerability within two hours of public disclosure, and CISA has given US federal agencies until July 10 to patch.

What Happened

Adobe’s APSB26-68 security bulletin, released June 30, 2026, patched 11 CVEs across ColdFusion, seven of them rated CVSS 10.0. The one now under active attack is CVE-2026-48282 Adobe ColdFusion RCE, a path traversal vulnerability in the Remote Development Services (RDS) FILEIO handler. The handler accepts a user-controlled file path from an RPC request and forwards it directly to the underlying file system API, without path canonicalization, input validation, or directory boundary enforcement.

An attacker who can reach a ColdFusion server with RDS enabled and RDS authentication disabled can submit a crafted path containing directory traversal sequences (such as ../) or an unauthorized absolute path, and write arbitrary files anywhere on the file system — including the web root. That is unauthenticated remote code execution achievable in a single request, no credentials required.

According to vulnerability intelligence platform KEVIntel, in-the-wild exploitation began within two hours of public disclosure. CISA added CVE-2026-48282 to its Known Exploited Vulnerabilities catalog on July 7, 2026, and — under Binding Operational Directive 26-04 — set a three-day remediation deadline for federal agencies of July 10, 2026, one of the most aggressive KEV deadlines issued so far this year. The fix is available now: ColdFusion 2023 Update 21 or ColdFusion 2025 Update 10.

Why It Matters

RDS is not enabled by default, and when it is enabled, RDS authentication is supposed to be required — but both settings are frequently left over from legacy development or migration workflows years after they served any purpose. That forgotten configuration is exactly what turns a routine patch cycle into an active-incident assumption. ColdFusion still runs customer portals, intranet applications, and legacy line-of-business systems inside a meaningful number of mid-sized enterprises, including DACH manufacturing and financial-services organizations running older CF-based platforms that were never fully migrated away.

The two-hour exploitation window is also a governance data point in its own right: for any internet-facing platform with a KEV listing, “patch within the business week” is no longer a survivable cadence. Under NIS2 Article 21, organizations in scope are expected to handle known vulnerabilities in a timely manner — an internet-facing, unpatched ColdFusion server after July 10 is both a security exposure and a compliance one.

What You Should Do Now

  1. Immediate: Update to ColdFusion 2023 Update 21 or ColdFusion 2025 Update 10.
  2. Verify: Check whether RDS is enabled on each ColdFusion instance (ColdFusion Administrator → Debugging & Logging, or check the RDS service status directly) and whether RDS authentication is actually configured and enforced.
  3. Mitigate: If immediate patching isn’t possible, disable the RDS service entirely, or block network access to the RDS endpoint at the firewall — most production environments do not need RDS enabled at all.
  4. Monitor: Review ColdFusion and web server logs for unexpected file writes into the web root and unusual RDS RPC requests. Given the confirmed two-hour exploitation window, treat any match as a likely compromise rather than a false positive requiring further triage.

DIESEC Perspective

We keep seeing the same pattern across 2026’s biggest vulnerability stories: the exploited window is the gap between patch availability and patch application, not zero-day discovery. RDS left enabled from a development phase that ended years ago is a textbook example of the kind of forgotten configuration that makes a routine Adobe patch cycle into a same-day incident.

Not sure whether RDS is still enabled on your ColdFusion servers, or whether your patch management process can react within hours rather than days? Contact DIESEC for a rapid exposure and patch verification review.

Sources: Adobe Security Bulletin APSB26-68 | Help Net Security
Published: 2026-07-09 | Category: Vulnerabilities & Patches | ~4 min read