Adobe shipped an emergency security bulletin, APSB26-68, on June 30, 2026, patching 11 vulnerabilities across ColdFusion 2025 and ColdFusion 2023 — six of them rated the maximum CVSS 10.0. A companion bulletin patched a separate CVSS 10.0 flaw in Adobe Campaign Classic. Within hours of the bulletin going public, researchers observed the first live exploitation attempts against the headline path-traversal bug, CVE-2026-48282.

What Happened

The bulk of APSB26-68’s flaws trace back to ColdFusion’s Remote Development Services (RDS) feature — a legacy component that lets IDEs talk to a running ColdFusion server over HTTP to browse the filesystem, run database queries, and assist with remote debugging. RDS is meant to be used only with authentication enabled and is not supposed to be internet-facing, but it ships enabled by default on many installs, and plenty of production servers never disable it.

Adobe’s advisory groups the RDS issues loosely, but researchers at watchtowr Labs reverse-engineered the actual fixes and found the bulletin quietly closed off arbitrary file write, arbitrary file read, arbitrary file move, arbitrary file delete, directory creation, and directory listing — far more than the advisory text describes. watchtowr demonstrated working exploitation by posting a malformed request to /CFIDE/main/ide.cfm?ACTION=FILEIO, which writes a .cfm script directly into the webroot. Once that file lands, a follow-up request triggers it, and cfexecute tags inside the planted script give the attacker arbitrary OS command execution — confirmed against both Windows (calc) and standard shell commands.

Technical Details

CVSS 10.0 (maximum severity):

  • CVE-2026-48276 — unrestricted file upload
  • CVE-2026-48277 — improper input validation
  • CVE-2026-48281 — improper input validation
  • CVE-2026-48282 — path traversal (arbitrary file write) — the flaw seen under active exploitation
  • CVE-2026-48283 — unrestricted file upload
  • CVE-2026-48316 — improper input validation

CVSS 9.3:

  • CVE-2026-48313 — path traversal (arbitrary file read)
  • CVE-2026-48315 — improper input validation

CVSS 8.8 / 8.6 / 6.5:

  • CVE-2026-48307 — reflected XSS / security bypass
  • CVE-2026-48285 — server-side request forgery
  • CVE-2026-48314 — path traversal (lower-impact variant)

Affected versions: ColdFusion 2025 (Update 9 and earlier), ColdFusion 2023 (Update 20 and earlier), on all supported platforms. Fixed in: ColdFusion 2025 Update 10, ColdFusion 2023 Update 21. Attack vector: Network, over HTTP to the RDS endpoint — no authentication required if RDS auth is disabled, which is common in default and legacy deployments. Adobe Priority Rating: 1 — Adobe’s top tier, reserved for flaws it expects to be weaponized quickly.

The separate Adobe Campaign Classic bulletin patches CVE-2026-48286, an incorrect-authorization flaw also rated CVSS 10.0, with impact up to arbitrary code execution on the Campaign Classic server.

Impact

Any organization running an internet-facing or internally-reachable ColdFusion server with RDS enabled is exposed to unauthenticated remote code execution. Given ColdFusion’s long history as a target — CitrixBleed-style scanning campaigns and mass-exploitation of prior ColdFusion CVEs by both opportunistic crimeware and APT groups are well documented — a CVSS 10.0 RCE reachable pre-auth is close to a worst case. The first observed in-the-wild attempt targeted C:\Windows\win.ini via the READ action, a classic canary probe attackers use to confirm an exploit works before deploying a real payload. Expect that reconnaissance to turn into actual webshell and ransomware-precursor activity within days, consistent with how prior ColdFusion RCEs have been exploited.

Mitigation

  • Patch immediately to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21.
  • Disable RDS if it isn’t actively needed for development — it should never be enabled on production or internet-facing servers.
  • Enforce RDS authentication if the feature must stay on; do not run it with auth disabled.
  • Block or restrict access to /CFIDE/ and RDS-related endpoints at the network layer (WAF, reverse proxy, firewall) for any server that doesn’t strictly require external IDE connectivity.
  • Hunt for indicators: unexpected .cfm files in the webroot, RDS access logs with ACTION=FILEIO or similar parameters, and outbound connections initiated by the ColdFusion service account.
  • Isolate legacy ColdFusion instances that can’t be patched quickly behind a segmented network with no direct internet exposure.

References