ColdFusion Path Traversal CVE-2026-48282 Under Active Attack

Red | Vulnerability
Download Now
CVE-2026-48282: Adobe ColdFusion Path Traversal Under Active Attack (TA2026189) — Patch Now

Threat Advisory • Vulnerability Report • TA2026189

ColdFusion Path Traversal CVE-2026-48282 Under Active Attack

CVE-2026-48282 is a critical, CVSS 10.0 path traversal vulnerability (CWE-22) in Adobe ColdFusion. Where file uploads are enabled, an unauthenticated attacker can write a malicious file to disk with NT AUTHORITY\SYSTEM privileges and achieve remote code execution — and the flaw is now confirmed under active exploitation, first observed roughly two hours after technical details were published.

SEVERITY: RED ADMIRALTY: A1 CVSS 10.0 PATH TRAVERSAL / RCE ACTIVELY EXPLOITED CWE-22 UNAUTHENTICATED (WHEN UPLOADS ENABLED)
CVE ID
CVE-2026-48282
Published
July 07, 2026
Admiralty Code
A1
First Seen
June 2026
CWE ID
CWE-22
CVSS Score
10.0 (Critical)
Impact
Arbitrary File Write, Remote Code Execution
Patch Status
Available (June 30, 2026)
Affected Products
Adobe ColdFusion 2025 (2025.9 and earlier), ColdFusion 2023 (2023.20 and earlier)

Summary

Adobe ColdFusion is affected by a critical flaw, CVE-2026-48282, that scores a perfect 10.0 out of 10 on the CVSS scale — about as severe as a vulnerability can get. On servers where file uploads are switched on, an attacker does not even need to log in: they can upload a booby-trapped file and take full control of the system, running arbitrary code with the highest available privileges. Adobe pushed out a fix on June 30, 2026, but attackers moved fast; within roughly two hours of the technical details going public, an actor based in India was already probing internet-facing ColdFusion servers with exploit traffic.

The flaw is a path traversal issue (CWE-22) rooted in ColdFusion's file-upload handling, and it is closely related to CVE-2026-48313, a companion arbitrary file read vulnerability fixed in the same update. Organizations running ColdFusion 2025 or ColdFusion 2023 should update to the latest patched release without delay and review whether any unpatched, internet-exposed instances were reachable — and potentially compromised — while the flaw was still open.


Vulnerability Details

#1 — A Network-Exploitable Path Traversal Flaw (CWE-22)

CVE-2026-48282 is a path traversal vulnerability, classified under CWE-22, affecting Adobe ColdFusion. In plain terms, the flaw can be attacked over the network, is easy to exploit, requires no authentication, and needs no user interaction — a combination that makes it directly reachable by any attacker who can send requests to a vulnerable server, and one of the reasons it carries a maximum CVSS score of 10.0.

#2 — Arbitrary File Write via ColdFusion's File-Upload Feature

The vulnerability sits in ColdFusion's file-upload functionality and behaves as an arbitrary file write. It is closely related to CVE-2026-48313, which provides an arbitrary file read in the same subsystem. File uploads are disabled by default in both the vulnerable and the patched builds, meaning an administrator must have explicitly enabled uploads before the path traversal flaw becomes reachable on a given server.

#3 — Unauthenticated Exploitation Path and SYSTEM-Level File Writes

Once file uploads are enabled, the vulnerable endpoint can be reached with no authentication whatsoever. An attacker triggers CVE-2026-48282 by sending an upload request containing a directory-traversal payload in the path parameter. Because ColdFusion writes the resulting file to disk as NT AUTHORITY\SYSTEM, the attacker can drop files anywhere on the filesystem with full system privileges. Placing an executable ColdFusion or JSP file into a web-served folder converts this arbitrary file write into remote code execution.

#4 — Related Fixes: File-Move, File-Delete, Directory Issues, and Extension Blocking

The same update that addressed CVE-2026-48282 also quietly fixed related file-move, file-delete, directory-creation, and directory-listing issues in ColdFusion. The companion upload fix additionally blocks dangerous file extensions such as jspf, cfmail, and war, and introduces new path-traversal checks that run during file uploads.

#5 — Affected Versions and Patch Priority

The path traversal flaw affects Adobe ColdFusion 2025 Update 9 and earlier (2025.9 and earlier) and Adobe ColdFusion 2023 Update 20 and earlier (2023.20 and earlier), across all supported platforms. Adobe assigned the update its highest priority rating and urged administrators to apply the patch as soon as possible, citing an installation window of roughly 72 hours given the severity and reachability of the flaw.

#6 — Confirmed Active Exploitation Within Two Hours of Disclosure

Adobe stated it was unaware of any active exploitation of CVE-2026-48282 at the time the patch shipped, but that changed within days. Honeypots recorded exploitation attempts less than two hours after the technical details became public, all originating from a single IP address, 103[.]207[.]14[.]220, geolocated to India. The observed activity used a read payload to fetch C:\Windows\win.ini, a harmless file commonly used to confirm that a target is vulnerable before further action. On July 2, 2026, active exploitation of the ColdFusion path traversal flaw was confirmed, and administrators were again urged to patch immediately.


Vulnerability Details Table

CVE IDAffected ProductsAffected CPECWE ID
CVE-2026-48282 Adobe ColdFusion versions 2025.9, 2023.20 and earlier cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:* CWE-22

Recommendations

01

Patch ColdFusion Immediately

Update affected systems to Adobe ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21 without delay, following the vendor's technical notes. Adobe has assigned this update its highest priority rating and advises installation within roughly 72 hours; given confirmed in-the-wild exploitation of CVE-2026-48282 within hours of disclosure, patching is the single most effective and time-critical action.

02

Hunt for Signs of Compromise

Treat any internet-facing, upload-enabled ColdFusion instance that was unpatched during the exposure window as potentially compromised. Review web server and ColdFusion logs for anomalous file-upload requests containing traversal sequences in the path parameter, inspect web-served directories for unexpected files, and investigate any connections involving 103[.]207[.]14[.]220. Files written by the exploit will appear with SYSTEM ownership, which can aid detection.

03

Disable or Tightly Restrict File Uploads

Since the vulnerable behavior in CVE-2026-48282 is only reachable when upload functionality is explicitly enabled, disable ColdFusion file uploads where they are not required. Where uploads are required, constrain accepted file extensions and destination paths, and place strict access controls in front of the upload endpoint.

04

Reduce Network Exposure

Remove ColdFusion administrative and upload interfaces from direct internet exposure wherever possible, placing them behind a VPN, reverse proxy, or web application firewall with rules to block directory-traversal payloads, and limit inbound access to trusted source addresses.


Potential MITRE ATT&CK TTPs

T1190
Initial Access
Exploit Public-Facing Application
T1059
Execution
Command and Scripting Interpreter
T1588.006
Resource Development
Obtain Capabilities: Vulnerabilities

Indicators of Compromise (IOCs)

TypeValue
IPv4 103[.]207[.]14[.]220

References & Patch Links

Patch Link
References