Lead Analysis
Security & Risk5 min

ColdFusion Under Fire: CISA Orders U.S. Federal Agencies to Patch CVE 10.0 by Friday

Administrador federal em sala de servidores revisando diretriz da CISA impressa com data de sexta marcada em vermelho, sob luz baixa de luminária.

Path traversal vulnerability received a maximum rating and became the target of active exploitation two hours after the technical bulletin. CISA set a deadline of July 10 for the Federal Civil Executive.

CISA has placed CVE-2026-48282, a path traversal vulnerability with a CVSS score of 10.0 in Adobe ColdFusion, in its Known Exploited Vulnerabilities catalog. All U.S. Federal Civil Executive agencies must apply the patch or take their servers offline by Friday, July 10. This marks the second time in three years that a critical ColdFusion vulnerability has been added to the catalog due to active exploitation.


The bug resides in the FILEIO handler of Remote Development Services (RDS), an interface that often remains enabled in development environments and legacy integrations. An unauthenticated remote attacker can read, write, rename, and delete files outside the permitted directory with a single forged HTTP request. Resecurity, in a separate analysis published on its blog, describes the vector as arbitrary file write with a direct path to remote code execution. The affected versions are ColdFusion 2025 prior to build Update 10 and ColdFusion 2023 prior to build Update 21. Adobe released patches on June 30 and classified the update as priority 1, a category reserved for products with a recent history of exploitation.


Two Hours Between Bulletin and First Exploit


Ryan Dewhurst, founder of KEVIntel, recorded attempts captured by honeypot sensors less than two hours after watchTowr Labs published a technical analysis of the flaws patched by Adobe. One of the requests came from an IP address geolocated in India attempting to read the file C:\Windows\win.ini, a classic path traversal test on Windows servers. watchTowr classified the issue as arbitrary file write, which, combined with the automatic execution of .cfm files by the ColdFusion engine, allows the installation of a webshell without requiring credentials.


RDS is not enabled by default in new installations. This seemingly minor detail in formal audits becomes critical in practice: it remains active in a long tail of legacy deployments, especially in development environments mistakenly exposed to the internet or within containers with misconfigured ports. SecurityWeek reported thousands of publicly accessible ColdFusion servers still in production within government agencies, law firms, and B2B integrators.


Where the Problem Hits: U.S., U.K., and Third-Party Infrastructure


The installed base of ColdFusion remains significant outside the Fortune 500 realm. In the United States, CISA has issued similar orders to federal agencies in 2023 (CVE-2023-26359) and 2024, and each wave has revealed vulnerable instances in at least half a dozen departments, from the Census Bureau to the Small Business Administration. In the U.K., the National Cyber Security Centre has been publishing specific bulletins on ColdFusion since 2023, reflecting its residual use in systems components for HMRC and in suppliers to the National Health Service. The Japanese JPCERT/CC often reproduces CISA's alerts within 48 hours, with relevant exposure found in regional banks' credit platforms integrated in the 2000s. Managed service providers serving financial clients in these three markets bear the risk in their own legacy hosting operations.


The patch application window is tight. Federal sysadmins face the choice of applying the update outside of a formal maintenance window or taking RDS offline externally, a move that tends to break internal deploy pipelines still dependent on the service. Third-party vendors hosting these environments must make a similar decision before 6 PM Eastern Time on Friday, when the CISA deadline expires.


What to Check Before the Weekend


The indicators of compromise reported by watchTowr and Resecurity are specific: unauthorized files within the /CFIDE/ directory, creation of .cfm files in folders that typically do not accept uploads, HTTP requests with encoded path traversal strings targeting /CFIDE/main/ide.cfm. Adobe's priority 1 designation indicates that sufficient technical details for an automated exploit kit are already public.


CVE-2026-48282 marks the second critical entry for ColdFusion in the KEV within three years and arrives four days after another round of seven critical vulnerabilities patched by Adobe in ColdFusion and Campaign Classic. For the CIO still operating an Application Server 12 in production because the migration cost seemed high, the calculations have changed this week.

Lead Analysis