CVE-2026-48282 Google Chronicle · YARA-L

Detect CVE-2026-48282: Adobe ColdFusion Path Traversal Exploitation in Google Chronicle

Detects exploitation attempts targeting CVE-2026-48282, a path traversal vulnerability (CWE-22) in Adobe ColdFusion. Active exploitation confirmed by CISA KEV listing. Attackers may use directory traversal sequences in HTTP requests to read sensitive files outside the web root, including configuration files containing credentials, or to achieve remote code execution via file write primitives.

MITRE ATT&CK

Tactic
Initial Access Credential Access Lateral Movement

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral
rule cve_2026_48282_coldfusion_path_traversal {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects CVE-2026-48282 Adobe ColdFusion path traversal exploitation attempts"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html"
    yara_version = "YL2.0"
    rule_version = "1.0"

  events:
    $req.metadata.event_type = "NETWORK_HTTP"
    (
      re.regex($req.network.http.request_url, `(?i)(\.\./|%2[eE]%2[eE][/%5c]|%252[eE]%252[eE]|%2[fF]%2[eE]%2[eE]%2[fF])`)
      or
      re.regex($req.network.http.request_url, `(?i)(\.%2[eE]/|%2[eE]%2[eE]%5[cC])`)
    )
    (
      re.regex($req.network.http.request_url, `(?i)(\.cfm|\.cfc|/[Cc][Ff][Ii][Dd][Ee]/|/cf_scripts/|/rest/|/flex2gateway/)`)
    )
    $req.principal.ip = $ip
    $req.network.http.response_code >= 0

  match:
    $ip over 10m

  outcome:
    $risk_score = max(
      if($req.network.http.response_code = 200, 95, 70)
    )
    $traversal_url = array_distinct($req.network.http.request_url)
    $response_codes = array_distinct($req.network.http.response_code)
    $target_host = array_distinct($req.target.hostname)

  condition:
    #req >= 1
}
critical severity high confidence

Chronicle YARA-L 2.0 rule detecting Adobe ColdFusion path traversal exploitation matching CVE-2026-48282. Triggers on HTTP requests containing traversal sequences directed at ColdFusion endpoints, with risk score elevated for HTTP 200 responses indicating successful traversal.

Data Sources

Chronicle SIEM HTTP EventsGoogle Cloud Armor LogsChronicle UDM Network Events

Required Tables

chronicle_udm_events

False Positives & Tuning

  • Chronicle ingesting WAF or IDS logs that decode and re-log traversal sequences during normalization
  • Third-party SaaS integration callbacks to ColdFusion APIs that use URL-encoded dot segments
  • Google Cloud Load Balancer access logs where path encoding varies across log pipeline stages
  • Automated uptime monitors testing ColdFusion REST endpoints with parameterized encoded paths

Other platforms for CVE-2026-48282


Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ColdFusion Path Traversal - Read neo-security.xml via URL traversal

    Expected signal: IIS/Apache access log entry: GET /CFIDE/administrator/../../lib/neo-security.xml with source IP of test host. HTTP response code 200 if vulnerable, 400/403 if patched or WAF-blocked.

  2. Test 2ColdFusion Path Traversal - URL-encoded traversal to password.properties

    Expected signal: Web server access log entry with URL-encoded traversal sequence. If server decodes before logging, DecodedURI will contain '../lib/password.properties'. If logged raw, csUriStem will contain '%2e%2e%2f%2e%2e%2f'.

  3. Test 3ColdFusion Path Traversal - Double-encoded traversal sequence (%252e%252e)

    Expected signal: WAF logs should show the double-encoded payload. ColdFusion access logs may show decoded single-percent-encoded form if WAF decodes once before forwarding. Both log sources should be checked.

  4. Test 4ColdFusion Path Traversal - Enumerate ColdFusion web root via automated scan simulation

    Expected signal: Multiple web server access log entries from the same source IP within a short window, each containing traversal sequences targeting different ColdFusion configuration file paths. HTTP response sizes will differ based on file accessibility.

Unlock Pro Content

Get the full detection package for CVE-2026-48282 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections