Adobe ColdFusion CVE-2026-48282 hits honeypots within hours of writeup
KEVIntel logged in-the-wild exploitation of Adobe ColdFusion CVE-2026-48282 within two hours of watchTowr's July 2 technical writeup. Path traversal → RCE, pre-auth, CVSS 10.
Threat-intelligence service KEVIntel captured in-the-wild exploitation of CVE-2026-48282 on July 2, 2026, within roughly two hours of watchTowr Labs publishing a technical writeup of the same bug. The flaw is a CVSS 10 path traversal in the Adobe ColdFusion Remote Development Services (RDS) FILEIO handler that yields unauthenticated remote code execution on unpatched instances. Adobe shipped the fix in APSB26-68 two days earlier, on June 30 — the same emergency bulletin we covered on July 1 when Adobe said it was "not aware" of any exploitation.
What the bug does
Per watchTowr's writeup, /CFIDE/main/ide.cfm?ACTION=FILEIO accepts unauthenticated POST requests and passes attacker-controlled file paths straight through the RDS handler. The published proof-of-concept writes a shell.cfm payload to the webroot, then triggers execution via a follow-up GET. The same round of fixes quietly closed adjacent RDS bugs — arbitrary file read (CVE-2026-48313), file move, file delete, directory creation and listing — all in the same handler surface, all pre-auth.
CWE-22 path traversal at CVSS 10 in a legacy IDE-facing endpoint is the textbook "why is this on the internet in 2026" bug.
Affected versions
- ColdFusion 2025: Update 9 and earlier — fixed in Update 10.
- ColdFusion 2023: Update 20 and earlier — fixed in Update 21.
- ColdFusion 2021 is out of core support. No fix.
Exposure
Shadowserver's public dashboard indicates roughly 800 Adobe ColdFusion instances reachable from the internet at the time of writing. The Shodan query for ColdFusion admin surface remains straightforward:
http.title:"Adobe ColdFusion"
http.html:"/CFIDE/administrator"
Any of those on Update 9 or Update 20 with /CFIDE/main/ide.cfm reachable is currently one HTTP request away from a webshell.
Exploitation status
- watchTowr Labs published the technical writeup on July 2, 2026, including the working
FILEIOPoC. - KEVIntel logged the first in-the-wild attempt against its global honeypot network within roughly two hours of publication. Per KEVIntel via Bleeping Computer, the source IP geolocated to India.
- Adobe now confirms exploitation — the June 30 bulletin's "not aware of exploits" line no longer holds. Help Net Security's July 7 write-up and Security Affairs' companion both track the same window.
- CISA KEV has not, at time of writing, added CVE-2026-48282 to the catalog. Historical precedent on ColdFusion RCEs (CVE-2023-26360, CVE-2024-20767) suggests the addition arrives within days once federal telemetry corroborates the honeypot signal.
Action checklist
- Patch ColdFusion 2025 to Update 10 and ColdFusion 2023 to Update 21 today. The exploit is public, weaponized, and firing at honeypots. This is no longer a maintenance-window call.
- If you cannot patch this shift, remove
/CFIDE/main/ide.cfmfrom the internet. Block the RDS endpoint at the reverse proxy or WAF. RDS should not be reachable from an untrusted network under any lockdown guide; if it is, that's the first fix. - Hunt for post-exploit artifacts on any historically internet-facing instance. Look for
.cfm,.cfml,.cfc, or.jspfiles created after July 2, 2026 under the webroot, thecfusioninstall tree, and/CFIDE/. Diff against a clean Update 9 or Update 20 tree. The published PoC drops ashell.cfm, but any file name is possible. - Rotate any credential that lived on a pre-patch instance. Datasource passwords, admin credentials, service-account tokens, any
application.cfc-scoped secret. - Apply the ColdFusion 2025 lockdown guide. RDS off,
/CFIDE/administrator/behind allowlist, least-privilege service accounts. This bounds the blast radius even against the next RDS CVE.
Context
ColdFusion has a heavy tail of KEV entries — CVE-2023-26360, CVE-2023-38203, CVE-2024-20767, CVE-2024-53961 — each disclosed as "not currently exploited" and each promoted to actively-exploited within weeks. This one collapsed the gap to hours: 6 days from patch, and about 2 hours from technical writeup to first honeypot hit. APSB26-68 is playing out exactly like the pattern our July 1 coverage called out — CVE-2026-48282 is the first of the six CVSS-10 CVEs to trip the wire, and the RDS-adjacent read primitive (CVE-2026-48313) is the obvious next candidate for a follow-on writeup.
The reproducible signal for defenders is the timing itself: when a patch, a technical writeup, and a honeypot hit land in the same 72-hour window, the fixed-version diff is short and the exploit class is well-worn (path traversal + writable webroot + interpreter execution). None of that is exotic. Treat the remaining five CVSS-10 CVEs in APSB26-68 as pre-exploited by policy until the patch is deployed.