
Threat Advisory • Vulnerability Report • TA2026189
CVE-2026-48282 is a critical, CVSS 10.0 path traversal vulnerability (CWE-22) in Adobe ColdFusion. Where file uploads are enabled, an unauthenticated attacker can write a malicious file to disk with NT AUTHORITY\SYSTEM privileges and achieve remote code execution — and the flaw is now confirmed under active exploitation, first observed roughly two hours after technical details were published.
CWE-22
UNAUTHENTICATED (WHEN UPLOADS ENABLED)
Section 01
Adobe ColdFusion is affected by a critical flaw, CVE-2026-48282, that scores a perfect 10.0 out of 10 on the CVSS scale — about as severe as a vulnerability can get. On servers where file uploads are switched on, an attacker does not even need to log in: they can upload a booby-trapped file and take full control of the system, running arbitrary code with the highest available privileges. Adobe pushed out a fix on June 30, 2026, but attackers moved fast; within roughly two hours of the technical details going public, an actor based in India was already probing internet-facing ColdFusion servers with exploit traffic.
The flaw is a path traversal issue (CWE-22) rooted in ColdFusion's file-upload handling, and it is closely related to CVE-2026-48313, a companion arbitrary file read vulnerability fixed in the same update. Organizations running ColdFusion 2025 or ColdFusion 2023 should update to the latest patched release without delay and review whether any unpatched, internet-exposed instances were reachable — and potentially compromised — while the flaw was still open.
Section 02
CVE-2026-48282 is a path traversal vulnerability, classified under CWE-22, affecting Adobe ColdFusion. In plain terms, the flaw can be attacked over the network, is easy to exploit, requires no authentication, and needs no user interaction — a combination that makes it directly reachable by any attacker who can send requests to a vulnerable server, and one of the reasons it carries a maximum CVSS score of 10.0.
The vulnerability sits in ColdFusion's file-upload functionality and behaves as an arbitrary file write. It is closely related to CVE-2026-48313, which provides an arbitrary file read in the same subsystem. File uploads are disabled by default in both the vulnerable and the patched builds, meaning an administrator must have explicitly enabled uploads before the path traversal flaw becomes reachable on a given server.
Once file uploads are enabled, the vulnerable endpoint can be reached with no authentication whatsoever. An attacker triggers CVE-2026-48282 by sending an upload request containing a directory-traversal payload in the path parameter. Because ColdFusion writes the resulting file to disk as NT AUTHORITY\SYSTEM, the attacker can drop files anywhere on the filesystem with full system privileges. Placing an executable ColdFusion or JSP file into a web-served folder converts this arbitrary file write into remote code execution.
The same update that addressed CVE-2026-48282 also quietly fixed related file-move, file-delete, directory-creation, and directory-listing issues in ColdFusion. The companion upload fix additionally blocks dangerous file extensions such as jspf, cfmail, and war, and introduces new path-traversal checks that run during file uploads.
The path traversal flaw affects Adobe ColdFusion 2025 Update 9 and earlier (2025.9 and earlier) and Adobe ColdFusion 2023 Update 20 and earlier (2023.20 and earlier), across all supported platforms. Adobe assigned the update its highest priority rating and urged administrators to apply the patch as soon as possible, citing an installation window of roughly 72 hours given the severity and reachability of the flaw.
Adobe stated it was unaware of any active exploitation of CVE-2026-48282 at the time the patch shipped, but that changed within days. Honeypots recorded exploitation attempts less than two hours after the technical details became public, all originating from a single IP address, 103[.]207[.]14[.]220, geolocated to India. The observed activity used a read payload to fetch C:\Windows\win.ini, a harmless file commonly used to confirm that a target is vulnerable before further action. On July 2, 2026, active exploitation of the ColdFusion path traversal flaw was confirmed, and administrators were again urged to patch immediately.
Section 03
| CVE ID | Affected Products | Affected CPE | CWE ID |
|---|---|---|---|
CVE-2026-48282 |
Adobe ColdFusion versions 2025.9, 2023.20 and earlier |
cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:* |
CWE-22 |
Section 04
Patch ColdFusion Immediately
Update affected systems to Adobe ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21 without delay, following the vendor's technical notes. Adobe has assigned this update its highest priority rating and advises installation within roughly 72 hours; given confirmed in-the-wild exploitation of CVE-2026-48282 within hours of disclosure, patching is the single most effective and time-critical action.
Hunt for Signs of Compromise
Treat any internet-facing, upload-enabled ColdFusion instance that was unpatched during the exposure window as potentially compromised. Review web server and ColdFusion logs for anomalous file-upload requests containing traversal sequences in the path parameter, inspect web-served directories for unexpected files, and investigate any connections involving 103[.]207[.]14[.]220. Files written by the exploit will appear with SYSTEM ownership, which can aid detection.
Disable or Tightly Restrict File Uploads
Since the vulnerable behavior in CVE-2026-48282 is only reachable when upload functionality is explicitly enabled, disable ColdFusion file uploads where they are not required. Where uploads are required, constrain accepted file extensions and destination paths, and place strict access controls in front of the upload endpoint.
Reduce Network Exposure
Remove ColdFusion administrative and upload interfaces from direct internet exposure wherever possible, placing them behind a VPN, reverse proxy, or web application firewall with rules to block directory-traversal payloads, and limit inbound access to trusted source addresses.
Section 05
Section 06
| Type | Value |
|---|---|
IPv4 |
103[.]207[.]14[.]220 |
Section 07