Zero-Day CISA KEV Active Exploit

One forgotten RDS toggle hands Adobe ColdFusion to SYSTEM

July 10, 2026·9 min read·Chris Boker, Founder, CVEasy AI
A ColdFusion RDS toggle left on lets a path traversal escape into the webroot as a SYSTEM shell

The RDS switch in the ColdFusion administrator is a checkbox a lot of teams flipped on in 2018, when they were wiring the app up in Dreamweaver, and never thought about again. Fresh installs ship with it off, but plenty of production servers still run with it on and the RDS password blank because the same image was promoted forward from dev. The checkbox controls a small RPC bridge that IDEs used to talk to a remote server: browse files, read them, write them, run debug commands. With RDS on and no password, an anonymous request to /CFIDE/main/ide.cfm can drive that bridge. CVE-2026-48282 is what happens when the bridge lets the request pick its own destination.

Adobe patched the flaw on June 30, 2026 as part of security bulletin APSB26-68, and NVD scored it at CVSS 10.0 (NVD advisory). Two days later, on July 2, watchTowr Labs published the technical write-up that made the bug reproducible from a single HTTP request (watchTowr Labs). Within about two hours, KEVIntel honeypots caught the first live exploitation attempts using the exact traversal from that write-up (Help Net Security). CISA added the CVE to its Known Exploited Vulnerabilities catalog on July 7 with a federal remediation deadline of today, July 10 (CISA).

What FILEIO was supposed to be

Remote Development Services is the RPC layer that lets a ColdFusion IDE ask a remote server to open a file, save a file, list a directory, or run a database query. Its entry point is /CFIDE/main/ide.cfm, and the ACTION query parameter selects the method: FILEIO for file operations, DBACCESS for schema queries, DBGDEBUG for the debugger. The FILEIO handler is what the IDE invokes when a developer clicks Save. It accepts a sub-command (READ, WRITE, LIST, DELETE), a server-side path, and, for WRITE, the file contents. None of it was meant to be reachable from the public internet; Adobe assumed either RDS would be off or the RDS password would gate every call.

The path check ide.cfm never made

The exploit is a single POST to /CFIDE/main/ide.cfm?ACTION=FILEIO. The body carries the FILEIO sub-command set to WRITE, a target file path, and the file contents. The path field accepts ../ segments, and nothing in the handler canonicalizes the string before it reaches the underlying Java file API. The write lands wherever the traversal points, as long as the ColdFusion service account can write there. On Windows that account defaults to NT AUTHORITY\SYSTEM; on Linux it usually runs as a service user with write access across the ColdFusion install tree. watchTowr's write-up walks the servlet method that resolves the path parameter and shows where the escape check is missing (watchTowr Labs). Reproductions from Orca Security and Resecurity confirm the same primitive.

Two conditions have to hold for the request to succeed: RDS enabled, and the RDS password empty or already known. Those are the same two conditions a lot of production servers still meet, which is why the CVSS 10.0 rating holds up in the field. The default is one setting; the running config is another, and the running config is what answers the request.

The core problem: an RPC bridge intended for a local IDE was shipped with a path resolver that never checked whether the caller could escape its working directory, and a lot of production instances still expose that bridge to the internet with an empty password.

A .cfm dropped into the webroot becomes a shell as SYSTEM

Writing an arbitrary file is the primitive; code execution is a follow-up request. The attacker traverses into the ColdFusion webroot (commonly C:\ColdFusion2025\cfusion\wwwroot on Windows and /opt/coldfusion2025/cfusion/wwwroot on Linux) and drops a file with a .cfm extension. Any subsequent GET to that path forces ColdFusion to parse and execute the CFML tags inside. The tag every observed webshell uses is <cfexecute>, which spawns an OS process synchronously and captures its output. A four-line CFML file becomes a fully interactive shell that takes commands as query parameters, and because the ColdFusion service inherits SYSTEM on Windows or a broadly privileged service user on Linux, that shell inherits the highest local privilege the box has.

What the honeypots caught in the first forty-eight hours

The earliest captured payloads were reconnaissance: attackers used the same traversal with the READ sub-command to pull C:\Windows\win.ini from the server, a standard sanity check before dropping a heavier payload. By the time CISA added the CVE to KEV on July 7, observed activity had shifted to persistent CFML webshells placed in /CFIDE/scripts/ and /CFIDE/administrator/ on exposed servers (Security Affairs). Adobe updated APSB26-68 on the same day to acknowledge limited exploitation in the wild. A community detection kit on GitHub documents the traversal payloads and the auditd and process telemetry the resulting cfexecute chains produce (detection notes).

Why a CVSS 10.0 alone still ranks this wrong

CVSS 10.0 puts the CVE in the same visual bucket as every other max score of the quarter. What CVSS does not capture is whether the specific instance in your inventory has RDS on with an empty password. That single configuration fact separates an internet-exposed SYSTEM shell from a benign patch you can schedule on the normal cadence. A scanner that flags every ColdFusion instance Critical on version match will bury the two servers that actually accept the FILEIO request in a queue of forty that do not. The signal that matters lives one config layer below the version string.

Reading CVE-2026-48282 through the TRIS layers

TRIS is the Threat and Risk Intelligence Scoring engine inside CVEasy AI. It walks four layers before deciding where this finding lands in your queue.

Exploitation state. Public PoC, CISA KEV listing, honeypots recording live exploitation about two hours after the write-up went up, FCEB deadline expired today. Full ACT tier weight. The case notes keep a distinction between a proven PoC (which this is) and confirmed abuse of your specific instance (a separate log-hunt question).

Exposure of the specific asset. TRIS asks whether the instance has RDS on, whether the RDS password is set, and whether /CFIDE/ is reachable from the public internet or only from an internal segment. A 2025 Update 9 instance behind a WAF that returns 403 for /CFIDE/ is a different exposure from an internet-facing box that returns 200, and this layer collapses the score by a full band for well-perimetered assets.

Blast radius from the box. Service account is the amplifier. The same CVE scores higher on a Windows install running as SYSTEM than on a Linux install where a hardened service user is the ceiling.

Patch status honest to the sources. Adobe shipped ColdFusion 2025 Update 10 and 2023 Update 21 on June 30; TRIS marks the finding closed only when the running build reports one of those. Interim mitigation like disabling RDS or WAF-blocking the path drops the score into a mid-band state that keeps the analyst watching without leaving it at emergency red.

Net effect: the same CVE lands as top-band ACT on an exposed 2023 Update 20 box running as SYSTEM, and as a mid-band finding on a sandboxed 2025 Update 9 box behind a WAF with RDS off, which is a distinction the raw version string alone would never surface for the analyst.

Patch, block, hunt, rotate

Patch. Apply APSB26-68 today: ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21. The patches add the missing canonicalization in the FILEIO handler and reject any path parameter that escapes the RDS working directory.

Block. If you cannot patch today, disable RDS in the administrator, block /CFIDE/ at your reverse proxy or WAF for any request not from your developer VPN, and set a strong RDS password even after disabling the service so a re-enable does not immediately reopen the primitive.

Hunt. Search web server logs for POST requests to /CFIDE/main/ide.cfm with ACTION=FILEIO, especially any WRITE sub-command carrying .cfm, .cfc, or .jsp filenames. On disk, look for unfamiliar .cfm files under /CFIDE/scripts/, /CFIDE/administrator/, and the webroot with creation times in early July. In endpoint telemetry, alert on the ColdFusion or jrun process spawning cmd.exe, powershell.exe, bash, or sh; that is the webshell in action.

Rotate. If any indicator hits, rotate the ColdFusion service account credentials, datasource passwords in the administrator, application secrets on the host, and any AD or IAM credentials the SYSTEM account could have touched through cached tokens. If SYSTEM ran the webshell, every credential the box could reach is burned.

Do not skip the rotate step. A CFML webshell running under SYSTEM can read the local SAM, dump LSASS, pull datasource passwords straight from neo-datasource.xml, and hit any AD-joined service on your network. Patching the FILEIO handler closes the front door. It does nothing about the keys the intruder already copied while the door was open.

How CVEasy AI surfaces this

CVEasy AI, the number one local-first CTEM platform, ingests Adobe's advisory, CISA KEV, watchTowr's write-up, and vendor honeypot telemetry as they land. TRIS scores CVE-2026-48282 against the actual configuration of every ColdFusion instance in your inventory: update level, RDS state, RDS password presence, whether /CFIDE/ is reachable from outside your perimeter, and the service account the process runs under. The finding the analyst opens names the exposed hosts, orders remediation by real exposure rather than raw CVSS, and hands over the log queries needed to check for prior compromise on each one. Configuration files, asset inventory, and process telemetry never leave your hardware; the analysis runs on the box you own. A version string alone was never enough to tell an emergency from a routine patch. The configuration layers underneath decide which servers actually accept the FILEIO request, and those layers are what TRIS is designed to read.

Sources: Adobe APSB26-68, watchTowr Labs, NVD CVE-2026-48282, Help Net Security, Orca Security, Resecurity, CISA KEV, Security Affairs, community detection notes

Your scanner saw a CVSS 10. It never saw which servers actually accept the request.

CVEasy AI's TRIS engine scores ColdFusion instances against configuration reality, not the vendor advisory alone, and hands your analyst the exposed hosts in remediation order.

Related Reading