Detect CVE-2026-48282: Adobe ColdFusion Path Traversal Exploitation in Splunk
Detects exploitation attempts targeting CVE-2026-48282, a path traversal vulnerability (CWE-22) in Adobe ColdFusion. Active exploitation confirmed by CISA KEV listing. Attackers may use directory traversal sequences in HTTP requests to read sensitive files outside the web root, including configuration files containing credentials, or to achieve remote code execution via file write primitives.
MITRE ATT&CK
SPL Detection Query
index=web sourcetype IN (iis, apache_access, nginx_access)
(uri_path="*../*" OR uri_path="*..%2f*" OR uri_path="*..%2F*" OR uri_path="*%2e%2e%2f*" OR uri_path="*%252e%252e*" OR uri_query="*../*" OR uri_query="*..%2f*")
(uri_path="*.cfm*" OR uri_path="*.cfc*" OR uri_path="*/CFIDE/*" OR uri_path="*/cfide/*" OR uri_path="*/cf_scripts/*" OR uri_path="*/rest/*")
| eval traversal_depth=mvcount(split(uri_path,"../"))-1
| eval uri_combined=coalesce(uri_path,"") . coalesce(uri_query,"")
| rex field=uri_combined max_match=5 "(?i)(\.\./|%2e%2e[/%5c]|%252e%252e)" AS traversal_sequences
| eval targeted_sensitive=if(match(uri_combined, "(?i)(password|passwd|secret|credential|config\.xml|neo-security\.xml|password\.properties|server\.xml|web\.xml|\.pfx|\.pem|\.key)"), 1, 0)
| stats
count AS request_count,
dc(uri_path) AS unique_uris,
values(status) AS http_statuses,
max(targeted_sensitive) AS hit_sensitive_file,
min(_time) AS first_seen,
max(_time) AS last_seen,
values(uri_path) AS traversal_uris
BY src_ip, host, sourcetype
| where request_count >= 1
| eval successful=(if(mvfind(http_statuses,"200")>=0, "YES", "NO"))
| eval severity=case(
hit_sensitive_file=1 AND successful="YES", "CRITICAL",
successful="YES", "HIGH",
hit_sensitive_file=1, "HIGH",
true(), "MEDIUM")
| sort -severity, -request_count
| table last_seen, src_ip, host, request_count, unique_uris, successful, hit_sensitive_file, severity, traversal_uris, http_statuses Splunk search detecting Adobe ColdFusion path traversal attempts across IIS, Apache, and Nginx access logs. Flags requests with traversal sequences targeting ColdFusion endpoints and escalates severity when sensitive configuration files are targeted and HTTP 200 responses observed.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized penetration testing or red team engagements against ColdFusion infrastructure
- Web application firewalls or IDS/IPS systems that log decoded traversal sequences during inspection
- Poorly coded ColdFusion applications that pass relative paths through URL parameters for template includes
- Monitoring or synthetic transaction tools that generate parameterized requests with dot-encoded paths
Other platforms for CVE-2026-48282
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ColdFusion Path Traversal - Read neo-security.xml via URL traversal
Expected signal: IIS/Apache access log entry: GET /CFIDE/administrator/../../lib/neo-security.xml with source IP of test host. HTTP response code 200 if vulnerable, 400/403 if patched or WAF-blocked.
- Test 2ColdFusion Path Traversal - URL-encoded traversal to password.properties
Expected signal: Web server access log entry with URL-encoded traversal sequence. If server decodes before logging, DecodedURI will contain '../lib/password.properties'. If logged raw, csUriStem will contain '%2e%2e%2f%2e%2e%2f'.
- Test 3ColdFusion Path Traversal - Double-encoded traversal sequence (%252e%252e)
Expected signal: WAF logs should show the double-encoded payload. ColdFusion access logs may show decoded single-percent-encoded form if WAF decodes once before forwarding. Both log sources should be checked.
- Test 4ColdFusion Path Traversal - Enumerate ColdFusion web root via automated scan simulation
Expected signal: Multiple web server access log entries from the same source IP within a short window, each containing traversal sequences targeting different ColdFusion configuration file paths. HTTP response sizes will differ based on file accessibility.
References (4)
- https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2026-48282
Unlock Pro Content
Get the full detection package for CVE-2026-48282 including response playbook, investigation guide, and atomic red team tests.