ColdFusion RCE exploited in wild (CVE-2026-48282) [PoC]
CVE-2026-48282
CVE-2026-48282: ColdFusion 2025.9/2023.20 path traversal RCE exploited in the wild (CVSS 10.0, CISA KEV). Update to ColdFusion 2025.10 or 2023.21 immediately.
Actively exploited in the wild - CVE-2026-48282 is a critical path traversal vulnerability in Adobe ColdFusion versions 2025.9, 2023.20, and earlier that grants unauthenticated attackers remote code execution as the current user. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog; patch without delay.
Overview
CVE-2026-48282 is an Improper Limitation of a Pathname to a Restricted Directory (path traversal) vulnerability in Adobe ColdFusion. An attacker can send a specially crafted HTTP request to traverse outside the intended directory structure, allowing file upload or manipulation that leads to arbitrary code execution. The vulnerability requires no authentication and no user interaction, making it highly exploitable over the network.
The CVSS score of 10.0 (Critical) reflects the combination of network-based attack vector, low complexity, no privileges required, and no user interaction. Notably, the scope is changed, meaning the impact may extend beyond the vulnerable component to adjacent resources.
Impact
Successful exploitation gives an attacker the ability to execute arbitrary code in the context of the affected user account on the ColdFusion server. This can lead to full server compromise, data theft, lateral movement within the network, and persistence. Given active exploitation in the wild, the window for proactive defense is closing.
Systems running ColdFusion 2025.9, 2023.20, or earlier versions are immediately at risk. Organizations using ColdFusion in production should treat this as a highest-priority incident.
Remediation
Adobe has released patched versions to address this vulnerability:
- Upgrade to ColdFusion 2025.10 (or later)
- Upgrade to ColdFusion 2023.21 (or later)
For environments where immediate patching is not possible, apply network-level restrictions to limit access to the ColdFusion administrative interface and web-accessible resources. Consider placing ColdFusion servers behind a web application firewall (WAF) capable of detecting path traversal patterns. Monitor logs for unusual file system access or unexpected process execution.
Security Insight
ColdFusion continues to be a high-value target for threat actors due to its prevalence in enterprise web applications and its historical track record of critical vulnerabilities. This CVE-2026-48282 mirrors a pattern seen in previous ColdFusion path traversal flaws, notably CVE-2023-29298 and CVE-2024-20767, where attackers weaponized similar vectors for ransomware deployment and data exfiltration. The inclusion on CISA KEV suggests state-sponsored or financially motivated groups have operationalized this exploit, underscoring the importance of proactive patch management for unsupported or legacy ColdFusion installations. For continued coverage of exploited vulnerabilities and breach news, visit our breach reports and security news.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| imbas007/CVE-2026-48282 | ★ 1 |
Showing 1 of 1 known references. Source: nomi-sec/PoC-in-GitHub.
Related Advisories
excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or St...
The Stackfield Desktop App before 1.10.2 for macOS and Windows contains a path traversal vulnerability in certain decryption functionality when processing the filePath property. A malicious export can...
SiYuan is a personal knowledge management system. Prior to 3.5.10, a path traversal vulnerability in the /export endpoint allows an attacker to read arbitrary files from the server filesystem. By expl...
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.5 and earlier, a path traversal vulnerability in the PWA (Progressive Web App) ZIP processing endpoint...