ColdFusion CVE-2026-48282: Exploited Within Hours of the Patch
Adobe shipped six CVSS 10.0 ColdFusion flaws on July 1. Within hours CVE-2026-48282 was under attack — and the file-read window before you patch is exactly what most defenders never see.
On July 1, 2026, Adobe published security bulletin APSB26-68 and fixed a run of ColdFusion vulnerabilities that reads like a worst-case list: six of them rated CVSS 10.0, all leading to remote code execution, most requiring no authentication. Adobe's bulletin states the company was "not aware of any exploits in the wild." That sentence had a short shelf life. Within hours of disclosure, security researchers reported exploitation attempts against one of them — CVE-2026-48282, a path-traversal flaw — and NHS England's National CSOC issued alert CC-4808 assessing further exploitation as highly likely.
The interesting part is not that ColdFusion had critical bugs. ColdFusion is a recurring fixture on the CISA Known Exploited Vulnerabilities catalog, and everyone in the industry expects it to be attacked the moment a patch drops. The interesting part is what the first attackers did: they used a file-read primitive to reach into the server and pull data out. That is the phase of a ColdFusion compromise almost nobody watches — and it is the phase that decides whether an intrusion is a footnote or a breach notification.
What Adobe shipped on July 1 — and what "priority 1" means
APSB26-68 is not a single fix. It is a cluster, and the density is the story. Per Security Affairs' breakdown and BleepingComputer's coverage, the ColdFusion half of the bulletin includes:
- CVE-2026-48276 — malicious file upload (CWE-434) leading to arbitrary code execution, CVSS 10.0.
- CVE-2026-48277 / 48281 / 48283 / 48316 — improper input validation, each leading to code execution, all CVSS 10.0.
- CVE-2026-48282 — path traversal (CWE-22) leading to arbitrary code execution, CVSS 10.0. This is the one being probed in the wild.
- CVE-2026-48313 — path traversal permitting sensitive file access, CVSS 9.3.
- CVE-2026-48315 — input validation flaw enabling privilege escalation, CVSS 9.3.
Adobe assigned the update "priority 1" — its highest urgency, reserved for flaws it judges to be at elevated risk of targeting. The affected builds are ColdFusion 2025 (Update 9 and earlier) and ColdFusion 2023 (Update 20 and earlier); older, out-of-support lines are affected too and simply will not receive a fix. That mix — mass-deployed application server, unauthenticated RCE, a maximum-severity rating, and a vendor priority-1 flag — is precisely the profile that gets weaponized fast.
Inside CVE-2026-48282: path traversal to code execution
Per the NVD record, CVE-2026-48282 is CVSS 10.0 with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H: network-reachable, low complexity, no privileges, no user interaction, and a scope change — the compromise crosses out of the vulnerable component into the host. It is classified CWE-22, improper limitation of a pathname to a restricted directory. In plain terms: a request can walk out of the directory ColdFusion intends to confine it to and touch files it should never reach.
watchTowr's patch-diff analysis of APSB26-68 identified the concrete primitives behind the bulletin: a file-operation path that passed an attacker-controlled filename to the filesystem without canonicalising it first (the fix swaps a raw getFile for a getCanonicalFile), and a file-manager upload handler that accepted directory-traversal sequences in its path parameter. Either primitive, in a non-default but common configuration, lets an unauthenticated request write a .cfm web shell into the web root and then execute it — or, pointed the other direction, read arbitrary files off disk.
The in-the-wild attempt reflects exactly that second direction. The first observed exploitation, per Cyber Security News, came from an India-geolocated IP trying to read C:\Windows\win.ini — the canonical "does the traversal work?" probe. win.ini is worthless. It is a proof shot. What a traversal read is actually for is everything valuable that sits in known paths on a ColdFusion box:
../../../../ColdFusion2025/cfusion/lib/neo-security.xml— the admin password hash.../../../../ColdFusion2025/cfusion/lib/neo-datasource.xml— every datasource, with credentials.../../../../ColdFusion2025/cfusion/lib/password.properties— the RDS and admin secrets.
An attacker who can read those files does not need a web shell to cause damage. They have your database credentials, your admin hash, and the keys to every datasource the application talks to — read straight off the disk, over HTTPS, in a handful of requests. No malware. No process to detect. Nothing on the box that a file-integrity monitor or an endpoint agent would flag, because nothing was written.
The window nobody watches: exploitation before you patch
Here is the timing that matters. Adobe disclosed on July 1. Exploitation attempts were reported the same day. Any organisation with a mature patch process — test, stage, schedule, deploy — is measured in days-to-weeks for an application server as fragile and business-critical as ColdFusion. The gap between "the bug is public" and "our box is patched" is not a bookkeeping detail; it is the exact window in which CVE-2026-48282 is being used, and it is a window every defender concedes by default.
During that window, the attacker's most valuable move is the quiet one: read the config files, harvest the credentials, leave. ColdFusion's own history says this is what happens. When CISA investigated CVE-2023-26360, the last time a ColdFusion flaw put a federal agency on the front page, the recorded intrusion was reconnaissance — threat actors got a foothold on public-facing ColdFusion servers and started mapping the environment. Read-and-leave leaves almost no local trace. The compromise is discovered weeks later, if at all, when the harvested credentials show up being used somewhere else.
This is the structural blind spot: the patch closes the door, but it does not tell you whether someone already walked through it, and the endpoint tooling on the box cannot see a data-disclosure attack that never dropped a file or spawned a process. The only place that read-and-exfiltrate is visible is on the wire — an application server that historically served pages suddenly emitting a burst of outbound requests, or answering a run of traversal-shaped inbound requests it has never seen before, while it is happening.
Why ColdFusion keeps ending up on the KEV list
None of this is new for ColdFusion. It is a mature, widely deployed application server that frequently sits at the internet edge in front of databases, and it has an unusually long rap sheet: CVE-2023-26360 was added to the KEV catalog the day after disclosure and used to breach a Federal Civilian Executive Branch agency; the pattern of "Adobe patches ColdFusion, attackers exploit within days" has repeated across multiple years and multiple CVEs.
The reason it stays exploitable is not that patches are unavailable. It is the combination the July 1 bulletin captures perfectly:
| Property of ColdFusion | Consequence for defenders |
|---|---|
| Internet-facing by role | Reachable by any unauthenticated attacker on day zero |
| Fronts databases and datasources | Config files on disk are the crown-jewel credentials |
| Legacy, hard to patch quickly | The exploitation window is wide, measured in days-to-weeks |
| Non-default features (RDS, uploads) | Attack surface varies per install; scanners guess, they don't confirm |
That last row is the one that defeats catalogue-driven security. A vulnerability scanner reads the ColdFusion build banner, matches it to a CVE feed, and reports "vulnerable" or "patched." It does not know whether RDS is enabled on this host, whether file uploads are turned on, whether the traversal actually reaches a sensitive path in your deployment, or — most importantly — whether an attacker already used the window before you closed it. The banner is a guess. The only way to know is to attack the box the way an attacker would and watch the wire the way an attacker hopes you don't.
Remediation
Treat any internet-reachable ColdFusion 2025 or 2023 instance as presumed-targeted since July 1, 2026. Work the list in order.
1. Am I affected?
Check your build. In ColdFusion Administrator, the version string is on the main dashboard; from the filesystem, read the build from cfusion/lib/version.properties. You are vulnerable if you are on ColdFusion 2025 Update 9 or earlier, ColdFusion 2023 Update 20 or earlier, or any out-of-support line (2021 and older). Then check exposure: is the instance reachable from the internet, and are the high-risk features enabled? From ColdFusion Administrator, confirm whether RDS and file uploads are on — these expand the exploitable surface for this bulletin.
2. Patch — exact fixed versions. Apply the July 1 updates immediately:
- ColdFusion 2025 → Update 10
- ColdFusion 2023 → Update 21
Out-of-support versions receive no fix — migrate to a supported line. After updating, apply Adobe's ColdFusion lockdown guide if you have not; several of these flaws are gated by non-default features that lockdown disables.
3. Can't patch tonight? Compensating controls.
- Disable RDS in production — it should never be enabled on an internet-facing box, and disabling it removes a primary primitive in this bulletin.
- Disable file uploads if the application does not require them; where it does, restrict the upload path and file types at the application tier.
- Put ColdFusion behind a reverse proxy / WAF and block requests containing traversal sequences (
../, encoded variants) to/CFIDE/,/cf_scripts/, and RDS endpoints. - Restrict egress from the ColdFusion host to only the destinations it legitimately needs. A read-and-exfiltrate attack has to send the data somewhere; a default-deny egress policy turns a silent read into a blocked connection.
4. Hunt for compromise (assume the window was used). Map your hunt to MITRE ATT&CK:
- T1190 Exploit Public-Facing Application — review web/access logs for traversal-shaped requests (
../,%2e%2e%2f, long path prefixes) to/CFIDE/main/ide.cfm, the CKEditor file-manager upload handler under/cf_scripts/, and any RDS endpoint, especially since July 1. - T1083 File and Directory Discovery / T1005 Data from Local System — look for reads of
neo-security.xml,neo-datasource.xml,password.properties, andwin.ini-style probes. - T1505.003 Web Shell — inventory the web root and
CFIDEdirectories for new or modified.cfm/.cfmlfiles; timestamp-sort and diff against a known-good baseline. - T1071 / T1041 C2 and Exfiltration — check for outbound connections from the ColdFusion host to previously-unseen destinations, and for a server that normally only serves traffic suddenly sending volume.
5. Eradicate and verify — after patching.
If you find evidence of exploitation, patching is not the end. Remove any web shells, then rotate every credential the box could have leaked: the ColdFusion admin password, RDS secrets, and — critically — every datasource credential in neo-datasource.xml, because a traversal read hands those over directly. Rotate them on the database side, not just in ColdFusion. Confirm the host is clean after the patch is applied, not before; a patched banner over a live web shell is the exact false-negative this bulletin will generate for weeks.
Where Zero Hunt fits
The remediation above has two halves that ordinary tooling handles badly: seeing the read-and-exfiltrate while it happens, and knowing whether your patched box is actually clean. Both map onto what Zero Hunt's on-prem appliance is built to do.
The first is a traffic problem, and it is the canonical case for Zero Hunt's AI Traffic Analysis. A ColdFusion server that suddenly answers traversal-shaped requests, or begins pushing data outbound to an ASN it has never contacted, is invisible to a file-integrity monitor and an endpoint agent — nothing was written, no process was spawned. It is fully visible on the wire. Zero Hunt runs a proprietary deep-learning model with four parallel inference heads — suspicious traffic, malware classification, attack-type identification, and application fingerprinting — trained on billions of PCAP sequences, at a 2.7+ Gbit/s baseline, entirely on the appliance GPU. It flags the anomalous egress and the exploitation-shaped inbound as the activity is happening, not in the next morning's SIEM digest — which is the difference between catching a credential harvest in progress and reading about it in a breach notification.
The second half — is my patched box actually clean, and was it exploitable in the first place? — is where the 10-agent generative pentest answers the question a scanner cannot. Instead of reading the build banner and guessing, the swarm's Exploit and Web agents write a per-target attempt against your configuration — RDS on or off, uploads enabled or not, traversal reaching a sensitive path or not — using a local LLM, with every skill backtested in the AI Gym against the Vulhub and CTF corpora before it runs in production. In an assumed-breach campaign, the Post-Exploit and Pivot agents go looking for the planted web shell and the harvested-credential trail the patch left behind, and every finding is ECDSA-signed into an evidence chain. It runs entirely on-prem — no cloud callbacks, no external LLM APIs — and a change-triggered campaign re-tests the moment a new ColdFusion instance appears on the perimeter.
ColdFusion will be back on the KEV catalog again; that is not a prediction so much as a pattern. The organisations that come through these windows without a breach notification are the ones that stop trusting the patch banner and start validating what's actually running — and watching the wire for the read that happens before the patch lands. If that is the gap you are trying to close, talk to us.