Critical (10.0) Actively Exploited

ColdFusion RCE exploited in wild (CVE-2026-48282) [PoC]

CVE-2026-48282

CVE-2026-48282: ColdFusion 2025.9/2023.20 path traversal RCE exploited in the wild (CVSS 10.0, CISA KEV). Update to ColdFusion 2025.10 or 2023.21 immediately.

Affected: Adobe Coldfusion

Actively exploited in the wild - CVE-2026-48282 is a critical path traversal vulnerability in Adobe ColdFusion versions 2025.9, 2023.20, and earlier that grants unauthenticated attackers remote code execution as the current user. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog; patch without delay.

Overview

CVE-2026-48282 is an Improper Limitation of a Pathname to a Restricted Directory (path traversal) vulnerability in Adobe ColdFusion. An attacker can send a specially crafted HTTP request to traverse outside the intended directory structure, allowing file upload or manipulation that leads to arbitrary code execution. The vulnerability requires no authentication and no user interaction, making it highly exploitable over the network.

The CVSS score of 10.0 (Critical) reflects the combination of network-based attack vector, low complexity, no privileges required, and no user interaction. Notably, the scope is changed, meaning the impact may extend beyond the vulnerable component to adjacent resources.

Impact

Successful exploitation gives an attacker the ability to execute arbitrary code in the context of the affected user account on the ColdFusion server. This can lead to full server compromise, data theft, lateral movement within the network, and persistence. Given active exploitation in the wild, the window for proactive defense is closing.

Systems running ColdFusion 2025.9, 2023.20, or earlier versions are immediately at risk. Organizations using ColdFusion in production should treat this as a highest-priority incident.

Remediation

Adobe has released patched versions to address this vulnerability:

  • Upgrade to ColdFusion 2025.10 (or later)
  • Upgrade to ColdFusion 2023.21 (or later)

For environments where immediate patching is not possible, apply network-level restrictions to limit access to the ColdFusion administrative interface and web-accessible resources. Consider placing ColdFusion servers behind a web application firewall (WAF) capable of detecting path traversal patterns. Monitor logs for unusual file system access or unexpected process execution.

Security Insight

ColdFusion continues to be a high-value target for threat actors due to its prevalence in enterprise web applications and its historical track record of critical vulnerabilities. This CVE-2026-48282 mirrors a pattern seen in previous ColdFusion path traversal flaws, notably CVE-2023-29298 and CVE-2024-20767, where attackers weaponized similar vectors for ransomware deployment and data exfiltration. The inclusion on CISA KEV suggests state-sponsored or financially motivated groups have operationalized this exploit, underscoring the importance of proactive patch management for unsupported or legacy ColdFusion installations. For continued coverage of exploited vulnerabilities and breach news, visit our breach reports and security news.

Further Reading

Share:

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Public PoC References

Unverified third-party code

These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).

Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.

Repository Stars
imbas007/CVE-2026-48282 ★ 1

Showing 1 of 1 known references. Source: nomi-sec/PoC-in-GitHub.

Related Advisories

Related Across Yazoul

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.