Adobe ColdFusion Remote Development Service Path Traversal

critical Web App Scanning Plugin ID 115295

Synopsis

Adobe ColdFusion Remote Development Service Path Traversal

Description

The remote Adobe ColdFusion instance has its Remote Development Service (RDS) enabled without authentication and is affected by a path traversal vulnerability in the RDS FILEIO handler exposed through the /CFIDE/main/ide.cfm endpoint. A remote, unauthenticated attacker can leverage this issue to read and write arbitrary files on the underlying file system, ultimately leading to arbitrary code execution in the context of the ColdFusion service account.

Adobe ColdFusion 2025 (Update 9 and earlier) and 2023 (Update 20 and earlier) are affected.

Solution

Upgrade to Adobe ColdFusion 2025 Update 10, ColdFusion 2023 Update 21 or later. If RDS is not required, ensure it is disabled and password protected.

See Also

https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html

Plugin Details

Severity: Critical

ID: 115295

Type: Check Based

Published: 7/13/2026

Updated: 7/13/2026

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Critical

Score: 9.5

Percentile: 99.86

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-48282

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS Score Source: CVE-2026-48282

Vulnerability Information

CPE: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/30/2026

Vulnerability Publication Date: 6/16/2026

CISA Known Exploited Vulnerability Due Dates: 7/10/2026

Reference Information

CVE: CVE-2026-48282