Adobe released security bulletin APSB26-68 on June 30, 2026, addressing ten vulnerabilities in ColdFusion 2023 and 2025. Among them is CVE-2026-48282, rated CVSS 10.0, with confirmed exploitation in limited attacks. The RDS (Remote Development Services) module, a legacy component for remote development, is once again the critical focal point: a pre-authentication path traversal leading to arbitrary file write and, from there, remote code execution. The patched versions are ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21, both carrying a priority rating of 1, the highest urgency level.
- Ten CVEs resolved: six rated CVSS 10.0 Critical for arbitrary code execution, two rated CVSS 9.3 for arbitrary file read and privilege escalation, plus SSRF and reflected XSS, all in bulletin APSB26-68 per Adobe.
- Active exploitation confirmed: Adobe explicitly states that CVE-2026-48282 is exploited in-the-wild in limited attacks against ColdFusion installations.
- Verified technical mechanism: the RDS module exports FILEIO operations via a length-prefixed RPC protocol over HTTP POST to
/CFIDE/main/ide.cfm; the fix addsRdsFileSecurity.resolveCanonical()to block directory traversal using ".." sequences and null bytes. - Attack conditions narrow but severe: RDS is not enabled by default, but anyone who has enabled it without authentication exposes trivial pre-auth RCE via
.cfmfile writes to the webroot.
The RDS Module and ColdFusion's Technical Debt
Remote Development Services is a protocol designed to let developers interact remotely with the ColdFusion server: file management, query execution, debugging. watchTowr analyzed decompiled code from core/coldfusion/rds/FileServlet.java, where the servlet handles FILEIO operations — READ, WRITE, RENAME, REMOVE — encapsulated in length-prefixed RPC messages transmitted via HTTP POST to the /CFIDE/main/ide.cfm endpoint.
Before the APSB26-68 patch, the filename parameter was resolved directly without canonicalization. The code diff shows Adobe introduced RdsFileSecurity.resolveCanonical(): the target path is now normalized and validated, with explicit blocks for directory traversal sequences and null bytes. This breaks the chain that led to arbitrary file writes outside allowed paths and, consequently, the loading of executable code into the web server's served directory.
The architectural decision to keep RDS in the product, even though it is not enabled by default, represents a node of technical debt. The module is a recurring vector for critical vulnerabilities: its attack surface — filesystem operations exposed over the network — is inherently dangerous if path validation fails even once.
From Path Traversal to RCE: The CVE-2026-48282 Chain
watchTowr reconstructed and tested the full chain. An HTTP POST request to /CFIDE/main/ide.cfm?ACTION=FILEIO with a WRITE operation and a target path built with .. sequences allows writing a .cfm file to the ColdFusion webroot, typically under C:\ColdFusion2025\cfusion\wwwroot\. The file contains ColdFusion tags such as <cfexecute name="cmd.exe">, executable by then requesting the corresponding URL via GET.
The technical source describes this step as turning a "file write primitive" into a "trivial path to Remote Code Execution." The pre-authentication condition, in the tested context, stems from the combination of RDS enabled plus authentication disabled — a configuration watchTowr attributes to development scenarios or hardening errors.
Adobe classifies CVE-2026-48282 as Improper Limitation of Pathname to Restricted Directory (CWE-22) with impact "arbitrary code execution." The CVSS 10.0 score reflects network access without privileges, no user interaction, changed scope, and maximum impact on confidentiality, integrity, and availability.
CVE Mapping Uncertainty and Advisory Silences
Not all ten CVEs in the advisory have received public technical analysis. watchTowr examined two vulnerabilities in the RDS module in detail, attributing them with explicit uncertainty: CVE-2026-48282 to arbitrary file write, CVE-2026-48313 to arbitrary file read. For the other eight CVEs — including CVE-2026-48276, 48277, 48281, 48283, 48314, 48315, 48316, 48285, 48307 — the technical mechanism has not been published in the available analytical source.
"Adobe is aware that CVE-2026-48282 has been exploited in the wild in limited attacks targeting Adobe ColdFusion" — Adobe Security Bulletin APSB26-68
The same technical source notes that some CVEs mentioned in the Adobe advisory do not appear in the detailed list of the official documentation, raising questions about disclosure completeness: "Did Adobe get bored listing them?," watchTowr observes, albeit with the self-deprecating tone that accompanies its own methodological uncertainty ("We've performed some informed, uninformed, random guesses").
This limitation has operational consequences: administrators know ten vulnerabilities were fixed, but lack independent analysis to verify the attack surface of eight of them. The official advisory provides CWE categories and macro impact, not the technical payload path.
Immediate Actions
- Apply ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21 immediately: Adobe assigns priority rating 1 to both versions, indicating update without delay.
- Verify RDS module status: if enabled, confirm authentication is active; if not needed for the operational environment, disable it.
- Inspect the webroot for unauthorized .cfm files: the CVE-2026-48282 chain leaves persistent traces in the form of uploaded files, detectable via integrity monitoring of the served directory.
- Correlate access logs to /CFIDE/main/ide.cfm with POST anomalies: FILEIO requests with suspicious payloads can be identified by analyzing the method, path, and ACTION parameter patterns.
Risk Profile and Target Geometry
ColdFusion remains an enterprise platform for long-standing web applications, often in contexts where replacement is costly or delayed by business constraints. The combination of CVSS 10.0 with confirmed exploitation turns CVE-2026-48282 into a mandatory trigger for every vulnerability management program that includes this technology in its perimeter.
The condition "RDS enabled without authentication" reduces the surface compared to a fully pre-auth vulnerability on a default installation, but does not lower the risk for instances matching that profile. The technical source verified the chain in that configuration; Adobe has not specified whether the in-the-wild attacks required similar conditions or exploited different vectors.
The presence of CVE-2026-48313 (CVSS 9.3, arbitrary file read) in the same RDS module suggests the issue was systemic in path handling, not isolated to a single operation. The unified fix via resolveCanonical() confirms this architectural reading.
What Remains Unclear
The dossier does not specify the numerical scope of the in-the-wild attacks: "limited attacks" is the only official qualification, with no indications on victims, sectors, or actors involved. No infrastructure overlaps emerge linking the observed activity to known groups at this stage.
The question of full disclosure remains open: eight CVEs without public technical analysis and some omissions in the tabular documentation leave uncertainty gaps for those who must calibrate compensating controls. The source does not specify whether public exploits exist beyond the watchTowr proof-of-concept, nor how many ColdFusion installations keep RDS active in production.
Sources
- https://labs.watchtowr.com/its-37oc-and-all-we-can-think-about-is-coldfusion-adobe-coldfusion-security-bulletin-apsb26-68-cve-bonanza/
- https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html?ref=labs.watchtowr.com
- https://storage.ghost.io/c/a0/dc/a0dcbbe4-0ae7-4d7e-90f7-ebbc3a0f5a84/content/images/2026/07/image-8.png
Information verified against cited sources and current as of publication.