CVE-2026-48282: Adobe ColdFusion Path Traversal Exploitation
Detects exploitation attempts targeting CVE-2026-48282, a path traversal vulnerability (CWE-22) in Adobe ColdFusion. Active exploitation confirmed by CISA KEV listing. Attackers may use directory traversal sequences in HTTP requests to read sensitive files outside the web root, including configuration files containing credentials, or to achieve remote code execution via file write primitives.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Adobe
- Product
- ColdFusion
Weakness (CWE)
Timeline
- Disclosed
- July 7, 2026
References & Proof of Concept
- https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-48282
What is CVE-2026-48282 CVE-2026-48282: Adobe ColdFusion Path Traversal Exploitation?
CVE-2026-48282: Adobe ColdFusion Path Traversal Exploitation (CVE-2026-48282) maps to the Initial Access and Credential Access and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-48282: Adobe ColdFusion Path Traversal Exploitation, covering the data sources and telemetry it touches: IIS Web Logs, Azure Diagnostics, Microsoft Sentinel W3CIISLog. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
union W3CIISLog, AzureDiagnostics
| where TimeGenerated >= ago(24h)
| where csUriStem has_any ("../", "..%2f", "..%2F", "%2e%2e", "..%5c", "..%5C", ".%2e/", "%2e./")
or csUriQuery has_any ("../", "..%2f", "..%2F", "%2e%2e", "..%5c", "..%5C")
or csUriStem matches regex @"(\.\./|%2[eE]%2[eE]|%252[eE]%252[eE])"
| where csUriStem has_any (".cfm", ".cfc", "/CFIDE/", "/cfide/", "/cf_scripts/")
or csUriStem has_any ("/administrator/", "/rest/", "/flex2gateway/")
| extend TraversalDepth = array_length(extract_all(@"(\.\./|%2[eE]%2[eE]/)", strcat(csUriStem, csUriQuery)))
| extend TargetedFile = extract(@"([\w.-]+\.(xml|properties|ini|pwd|pfx|p12|key|pem|cfm|cfc|log))$", 0, csUriStem)
| extend AttackerIP = iff(isnotempty(cIP), cIP, CallerIpAddress)
| where TraversalDepth >= 1 or isnotempty(TargetedFile)
| summarize
RequestCount = count(),
UniqueURIs = dcount(csUriStem),
UniqueTargets = make_set(TargetedFile, 20),
StatusCodes = make_set(scStatus, 10),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by AttackerIP, csHost, bin(TimeGenerated, 5m)
| where RequestCount >= 1
| extend SuccessfulTraversal = set_has_element(StatusCodes, "200")
| project-reorder LastSeen, AttackerIP, csHost, RequestCount, UniqueURIs, UniqueTargets, SuccessfulTraversal, StatusCodes Detects HTTP requests to Adobe ColdFusion endpoints containing path traversal sequences in URI stem or query parameters. Summarizes traversal attempts by source IP and tracks whether any returned HTTP 200 (successful read).
Data Sources
Required Tables
False Positives
- Legitimate URL-encoded paths in complex REST API calls that coincidentally contain encoded dots
- Web application vulnerability scanners (Burp Suite, Nessus, Qualys) running authorized assessments
- CDN or reverse proxy health checks that encode special characters in forwarded URIs
- Legacy ColdFusion applications that use relative paths in cfinclude tags surfacing in request logs
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-48282: Adobe ColdFusion Path Traversal Exploitation (CVE-2026-48282) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
product: azure Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-48282
References (4)
- https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-48282
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ColdFusion Path Traversal - Read neo-security.xml via URL traversal
Expected signal: IIS/Apache access log entry: GET /CFIDE/administrator/../../lib/neo-security.xml with source IP of test host. HTTP response code 200 if vulnerable, 400/403 if patched or WAF-blocked.
- Test 2ColdFusion Path Traversal - URL-encoded traversal to password.properties
Expected signal: Web server access log entry with URL-encoded traversal sequence. If server decodes before logging, DecodedURI will contain '../lib/password.properties'. If logged raw, csUriStem will contain '%2e%2e%2f%2e%2e%2f'.
- Test 3ColdFusion Path Traversal - Double-encoded traversal sequence (%252e%252e)
Expected signal: WAF logs should show the double-encoded payload. ColdFusion access logs may show decoded single-percent-encoded form if WAF decodes once before forwarding. Both log sources should be checked.
- Test 4ColdFusion Path Traversal - Enumerate ColdFusion web root via automated scan simulation
Expected signal: Multiple web server access log entries from the same source IP within a short window, each containing traversal sequences targeting different ColdFusion configuration file paths. HTTP response sizes will differ based on file accessibility.
Unlock Pro Content
Get the full detection package for CVE-2026-48282 including response playbook, investigation guide, and atomic red team tests.