Cyber Threat Brief — July 9 2026

⚠️ This report is AI-generated. Always validate findings.

1. Adobe ColdFusion RDS Webshell Upload — CVE-2026-48282

TL;DR: CVSS 10.0 unauthenticated RCE via RDS FILEIO path traversal in Adobe ColdFusion. Exploited ITW since July 2 — minutes after watchTowr’s technical analysis dropped. CISA KEV’d July 8 with July 10 federal deadline.

What’s New:

  • Path traversal in /CFIDE/main/ide.cfm?ACTION=FILEIO allows arbitrary file write when RDS is enabled and RDS auth is disabled
  • Attacker uploads CFML webshell with cfexecute tags to web-servable path, achieving RCE as the ColdFusion service account
  • KEVIntel honeypots detected exploitation July 2, same day as watchTowr writeup; Resecurity independently tracking
  • Affects ColdFusion 2025 update 9 and earlier, ColdFusion 2023 update 20 and earlier
  • Patched June 30 in APSB26-68 (CF2025u10, CF2023u21); ~750 internet-facing CF servers tracked by Shadowserver

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
POST /CFIDE/main/ide.cfm?ACTION=FILEIOURI patternT1190WAF / web access logsBlock external access to /CFIDE/ and RDS endpoints
New .cfm, .cfc, .cfml, .jsp files in wwwroot/CFIDE/, cfusion/wwwroot/, cf_scripts/File creationT1505.003File integrity / Sysmon EID 11Alert on new script files in CF web dirs
coldfusion.exe or CF java.exe spawning cmd.exe, powershell.exe, whoami, certutil, curlProcess chainT1059.001 / T1059.003EDR / Sysmon EID 1Alert on CF service spawning shell processes
Outbound connections from CF server post-exploitationC2T1071.001Firewall / NDRBaseline and alert on anomalous outbound from CF hosts
HTTP requests to /CFIDE/administrator/, /CFIDE/adminapi/ from external IPsReconT1190WAF / web access logsBlock and alert on external admin path access

Detection

SourceRuleGap
Splunk ESCUWeb Shell Indicator (generic)No ColdFusion-specific RDS exploitation rule; need URI pattern match on /CFIDE/main/ide.cfm?ACTION=FILEIO
ElasticWeb Shell Detection: Script Process Child of Common Web Processes (partial)No ColdFusion-specific rule; Java parent process may not match typical web server patterns
Sigmawebshell_detection_file_creation.yml (generic)No ColdFusion RDS-specific rule; need .cfm/.cfc file creation alerting in CF web root

Sources: watchTowr analysis, Resecurity writeup, Help Net Security, CISA KEV, GitHub PoC


Status Updates

  • CVE-2026-48908 / CVE-2026-56290 (Joomla Page Builders): CISA KEV federal deadline TOMORROW July 10. Both CVSS 10.0 unauthenticated file upload RCE, actively exploited. Original brief.
  • CVE-2026-55255 (Langflow IDOR): CISA KEV federal deadline TOMORROW July 10. Sysdig detailed attacker TTPs: flow enumeration via /api/v1/flows/ → IDOR on /api/v1/responses with prompt “leak api keys” for LLM/AWS credential theft. Attacker IP 45.207.216.55. Original brief.
  • CVE-2026-20896 (Gitea Docker Auth Bypass): Active exploitation confirmed by Sysdig July 7. ProtonVPN exit node 159.26.98[.]241 scanning ~6,200 exposed instances. Original brief.