Cyber Threat Brief — July 9 2026
⚠️ This report is AI-generated. Always validate findings.
1. Adobe ColdFusion RDS Webshell Upload — CVE-2026-48282
TL;DR: CVSS 10.0 unauthenticated RCE via RDS FILEIO path traversal in Adobe ColdFusion. Exploited ITW since July 2 — minutes after watchTowr’s technical analysis dropped. CISA KEV’d July 8 with July 10 federal deadline.
What’s New:
- Path traversal in
/CFIDE/main/ide.cfm?ACTION=FILEIOallows arbitrary file write when RDS is enabled and RDS auth is disabled - Attacker uploads CFML webshell with
cfexecutetags to web-servable path, achieving RCE as the ColdFusion service account - KEVIntel honeypots detected exploitation July 2, same day as watchTowr writeup; Resecurity independently tracking
- Affects ColdFusion 2025 update 9 and earlier, ColdFusion 2023 update 20 and earlier
- Patched June 30 in APSB26-68 (CF2025u10, CF2023u21); ~750 internet-facing CF servers tracked by Shadowserver
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /CFIDE/main/ide.cfm?ACTION=FILEIO | URI pattern | T1190 | WAF / web access logs | Block external access to /CFIDE/ and RDS endpoints |
New .cfm, .cfc, .cfml, .jsp files in wwwroot/CFIDE/, cfusion/wwwroot/, cf_scripts/ | File creation | T1505.003 | File integrity / Sysmon EID 11 | Alert on new script files in CF web dirs |
coldfusion.exe or CF java.exe spawning cmd.exe, powershell.exe, whoami, certutil, curl | Process chain | T1059.001 / T1059.003 | EDR / Sysmon EID 1 | Alert on CF service spawning shell processes |
| Outbound connections from CF server post-exploitation | C2 | T1071.001 | Firewall / NDR | Baseline and alert on anomalous outbound from CF hosts |
HTTP requests to /CFIDE/administrator/, /CFIDE/adminapi/ from external IPs | Recon | T1190 | WAF / web access logs | Block and alert on external admin path access |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web Shell Indicator (generic) | No ColdFusion-specific RDS exploitation rule; need URI pattern match on /CFIDE/main/ide.cfm?ACTION=FILEIO |
| Elastic | Web Shell Detection: Script Process Child of Common Web Processes (partial) | No ColdFusion-specific rule; Java parent process may not match typical web server patterns |
| Sigma | webshell_detection_file_creation.yml (generic) | No ColdFusion RDS-specific rule; need .cfm/.cfc file creation alerting in CF web root |
Sources: watchTowr analysis, Resecurity writeup, Help Net Security, CISA KEV, GitHub PoC
Status Updates
- CVE-2026-48908 / CVE-2026-56290 (Joomla Page Builders): CISA KEV federal deadline TOMORROW July 10. Both CVSS 10.0 unauthenticated file upload RCE, actively exploited. Original brief.
- CVE-2026-55255 (Langflow IDOR): CISA KEV federal deadline TOMORROW July 10. Sysdig detailed attacker TTPs: flow enumeration via
/api/v1/flows/→ IDOR on/api/v1/responseswith prompt “leak api keys” for LLM/AWS credential theft. Attacker IP45.207.216.55. Original brief. - CVE-2026-20896 (Gitea Docker Auth Bypass): Active exploitation confirmed by Sysdig July 7. ProtonVPN exit node
159.26.98[.]241scanning ~6,200 exposed instances. Original brief.