# REPRO-2026-00262: ColdFusion 2025 Lockdown: open-RDS unauth direct-Tomcat absolute-path FILEIO RCE confirmed ## Summary Status: published Severity: critical Type: security Confidence: medium ## Identifiers REPRO ID: REPRO-2026-00262 CVE: CVE-2026-48282 ## Package Name: Unknown Ecosystem: Unknown Affected: Unknown Fixed: Unknown ## Root Cause ## Summary CVE-2026-48282 is an Adobe ColdFusion Remote Development Services (RDS) FILEIO path handling flaw reachable through `POST /CFIDE/main/ide.cfm?ACTION=FILEIO`. The patched ColdFusion 2025 Update 10 code rejects `..` directory-traversal segments, but it still accepts attacker-supplied absolute paths and passes them to the real FILEIO read/write operators. In this run, the target was Adobe ColdFusion 2025 Update 10 with the official Server Auto-Lockdown installer successfully applied. Apache lockdown rules blocked `/CFIDE`, but the direct ColdFusion Tomcat endpoint remained reachable. When the RDS deployment precondition `rds.security.enabled=false` was present after lockdown, unauthenticated FILEIO requests read `/etc/passwd`, wrote a CFML payload into the ColdFusion `CFIDE` webroot using an absolute path with no `..`, and executed `/usr/bin/id` as `uid=999(cfuser)`. ## Impact - **Package/component affected:** Adobe ColdFusion 2025 RDS (`coldfusion.rds.RdsFrontEndServlet`, `coldfusion.rds.FileServlet`, `coldfusion.rds.RdsFileSecurity`) exposed through `/CFIDE/main/ide.cfm?ACTION=FILEIO`. - **Affected versions:** This run validated Adobe ColdFusion 2025 Update 10 (`2025,0,10,331899`) in Docker image `adobecoldfusion/coldfusion2025:2025.0.10`, digest/image ID `sha256:a51436584affbca07abe4909620cdd098f81737ba1e5f368410633df9474592a`. Prior ticket context indicates the original issue affected ColdFusion 2025 Update 9 / 2023 Update 20 and earlier, with partial patch/bypass behavior in later fixed builds. - **Risk level and consequences:** Critical when RDS is enabled and RDS authentication is disabled or bypassed/reconfigured. An unauthenticated remote attacker can read arbitrary files, write CFML into a web-executable location, and execute commands as the ColdFusion runtime user. In the locked-down Docker target, the demonstrated runtime user was `uid=999(cfuser)`. ## Impact Parity - **Disclosed/claimed maximum impact:** Unauthenticated remote code execution through RDS FILEIO path traversal/absolute-path bypass. - **Reproduced impact from this run:** Code execution through the real ColdFusion HTTP endpoint after official Server Auto-Lockdown evidence was present. The script wrote a CFML template under `/opt/coldfusion/cfusion/wwwroot/CFIDE/` using an absolute path and then executed it over Tomcat, producing `PRUVA_LOCKDOWN_RCE_1783451550-154638:uid=999(cfuser) gid=999(cfuser) groups=999(cfuser)`. - **Parity:** `full` for the tested configuration: CF 2025 Update 10 with Server Auto-Lockdown applied and RDS authentication disabled after lockdown. Apache lockdown blocked `/CFIDE`, but the direct Tomcat product endpoint remained exploitable. - **Not demonstrated:** The proof does not claim that Apache-fronted `/CFIDE` bypasses the official Apache lockdown rules; the Apache control returned HTTP 404. The proof also does not demonstrate exploitation when `rds.security.enabled=true`; that negative control correctly returned `-100`. ## Root Cause The vulnerable path is the RDS FILEIO RPC endpoint. The request body is length-prefixed RDS data where the first FILEIO field is the path and the second field is the operator, such as `READ` or `WRITE`. In ColdFusion 2025 Update 10, `coldfusion.rds.RdsFileSecurity.resolveCanonical()` rejects null/empty paths, null bytes, and path strings containing `..` as a traversal segment. The patch path is active, as demonstrated by the `../` negative control returning: ```text -1:The requested path contains directory traversal sequences and was rejected. java.io.IOException: The requested path contains directory traversal sequences and was rejected. at coldfusion.rds.RdsFileSecurity.resolveCanonical(RdsFileSecurity.java:61) ``` However, the validation does not enforce that the canonical path remains under an approved RDS root or non-web-executable directory. Absolute paths such as `/etc/passwd` and `/opt/coldfusion/cfusion/wwwroot/CFIDE/.cfm` contain no `..` segment, so they pass the traversal check and reach `FileServlet$FileReadOperator` or `FileServlet$FileWriteOperator`. When the write target is web-executable, the attacker-controlled CFML runs under the ColdFusion service account. A fix commit was not available in this Docker-image validation. The effective fix should bind FILEIO operations to an explicit allowed root after canonicalization, reject absolute paths outside that root, and keep RDS disabled/authenticated in production and lockdown profiles. ## Reproduction Steps 1. Run `bundle/repro/reproduction_steps.sh` from the bundle root, for example: ```bash PRUVA_ROOT=/path/to/bundle bash bundle/repro/reproduction_steps.sh ``` 2. The script: - Reuses or starts the real Docker target `adobecoldfusion/coldfusion2025:2025.0.10`. - Verifies the official Server Auto-Lockdown success log in the container. - Records product identity, image digest, lockdown installer checksum, Apache lockdown config, and locked-down filesystem permissions. - Builds real RDS FILEIO binary payloads. - Runs an RDS-authentication negative control (`rds.security.enabled=true`) and confirms unauthenticated FILEIO returns `-100`. - Re-enables the vulnerable RDS precondition (`rds.enabled=true`, `rds.security.enabled=false`) after lockdown. - Sends unauthenticated FILEIO requests through the real ColdFusion Tomcat HTTP endpoint to read `/etc/passwd`, write a CFML marker under `CFIDE`, and execute it. - Confirms Apache `/CFIDE` remains blocked and that `../` traversal is rejected by the patched path. 3. Expected evidence: - `/etc/passwd` contents in `bundle/logs/post_lockdown_abs_read_passwd.log`. - FILEIO write acknowledgement `1:2:XX` in `bundle/logs/post_lockdown_abs_write_cfide_webshell.log`. - RCE marker and `uid=999(cfuser)` in `bundle/logs/post_lockdown_rce_tomcat.log`. - Apache HTTP 404/403 block in `bundle/logs/post_lockdown_apache_cfide_block.log`. - `RdsFileSecurity.resolveCanonical` traversal rejection in `bundle/logs/post_lockdown_traversal_negative.log`. ## Evidence - `bundle/logs/product_identity.txt` - ColdFusion version: `2025,0,10,331899`. - Base version: `2025,0,0,331385`. - Docker image/digest: `sha256:a51436584affbca07abe4909620cdd098f81737ba1e5f368410633df9474592a`. - Lockdown installer MD5: `a4c76d478c07f91891c89d260c042318`. - `bundle/logs/official_lockdown_success.log` - Contains `ColdFusion Server has been locked down successfully!` from the official installer run. - `bundle/logs/lockdown_state.txt` - Shows official Apache lockdown rules including `RedirectMatch 404 (?i).*/CFIDE.*`. - Shows locked-down permissions, including `/app` as `551` and `/opt/coldfusion/cfusion/wwwroot/CFIDE` owned by `cfuser`. - `bundle/logs/post_lockdown_auth_enabled_negative.log` - Shows the RDS-authentication negative control: `-100:Unable to authenticate on RDS server using current security information.` - `bundle/logs/post_lockdown_abs_read_passwd.log` - Shows absolute-path read of `/etc/passwd` over FILEIO, including `root:x:0:0:root:/root:/bin/bash` and `cfuser:x:999:999::/home/cfuser:/bin/sh`. - `bundle/logs/post_lockdown_abs_write_cfide_webshell.log` - Shows successful FILEIO write acknowledgement: `1:2:XX` and HTTP 200. - `bundle/logs/post_lockdown_rce_tomcat.log` - Shows command execution result: `PRUVA_LOCKDOWN_RCE_1783451550-154638:uid=999(cfuser) gid=999(cfuser) groups=999(cfuser)`. - `bundle/logs/post_lockdown_apache_cfide_block.log` - Shows Apache-fronted `/CFIDE` blocked with HTTP 404, confirming the exploit used the direct Tomcat product endpoint rather than bypassing Apache request filtering. - `bundle/logs/post_lockdown_traversal_negative.log` - Shows `../` traversal rejected by `RdsFileSecurity.resolveCanonical`, proving the patched traversal filter is active while absolute paths remain accepted. - `bundle/repro/runtime_manifest.json` - Captures runtime entrypoint, service/healthcheck status, proof artifacts, product version, image ID, lockdown checksum, and exploit marker. ## Recommendations / Next Steps - Enforce canonical-root containment in `RdsFileSecurity.resolveCanonical()` or immediately after it. Canonicalize the requested path, canonicalize the allowed RDS root, and reject any target not contained within the allowed root. - Reject absolute paths for RDS FILEIO unless they are explicitly mapped to an approved project/RDS root. - Ensure Server Auto-Lockdown either disables RDS completely or guarantees RDS authentication cannot be disabled while the server is in a locked-down/production profile. - Do not expose the internal Tomcat port (8500/8501) on production systems; require all external traffic to traverse the hardened webserver connector or firewall. - Add regression tests for: absolute `/etc/passwd`-style reads, absolute webroot writes, `../` traversal, URL/encoding variants, and all deployment modes (Apache connector and direct Tomcat). - Administrators should upgrade to Adobe's fixed release when available, keep RDS disabled unless strictly required, and audit for unexpected CFML/JSP files under webroots including `CFIDE`. ## Additional Notes - Idempotency was confirmed: `bundle/repro/reproduction_steps.sh` ran successfully twice consecutively with fresh per-run markers. - The proof is product-mode and non-sanitized. It uses real Dockerized Adobe ColdFusion, real Server Auto-Lockdown artifacts, real HTTP requests, and real CFML execution. - The exploit requires the RDS exposure/precondition (`rds.enabled=true` and `rds.security.enabled=false`). With RDS authentication enabled, the same unauthenticated FILEIO request is rejected with `-100`. - Apache lockdown remains effective for `/CFIDE`; the issue shown here is that the direct Tomcat endpoint remains a product HTTP boundary that can still exercise RDS FILEIO under the vulnerable RDS configuration. ## Reproduction Details Reproduced: 2026-07-07T19:40:23.438Z Duration: 4825 seconds Tool calls: 398 Turns: Unknown Handoffs: 3 ## Quick Verification Run one of these commands to verify locally: pruva-verify REPRO-2026-00262 pruva-verify CVE-2026-48282 Or open in GitHub Codespaces (zero-friction, auto-runs): https://github.com/codespaces/new?ref=repro/REPRO-2026-00262&repo=N3mes1s/pruva-sandbox Or download and run the script manually: curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00262/artifacts/bundle/repro/reproduction_steps.sh chmod +x reproduction_steps.sh ./reproduction_steps.sh WARNING: Run in a sandboxed environment. This exploits a real vulnerability. ## References - NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-48282 - Source: https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html ## Artifacts - bundle/repro/reproduction_steps.sh (reproduction_script, 21223 bytes) - bundle/repro/rca_report.md (analysis, 9882 bytes) - bundle/logs/lockdown_detail.log (log, 460 bytes) - bundle/repro/adobe_lockdown_preconditioned_rce.md (documentation, 2811 bytes) - bundle/logs/adobe_lockdown_rce/proof.log (log, 1084 bytes) - bundle/repro/validation_verdict.json (other, 850 bytes) - bundle/repro/runtime_manifest.json (other, 1291 bytes) - bundle/logs/bypass_rce_webshell.log (log, 94 bytes) - bundle/logs/post_lockdown_tomcat.log (log, 96 bytes) - bundle/logs/post_lockdown_apache.log (log, 330 bytes) - bundle/repro/adobe_lockdown_unauth_abs_path_chain.md (documentation, 3452 bytes) - bundle/logs/adobe_lockdown_unauth_abs_path_chain/proof.log (log, 2449 bytes) - bundle/logs/adobe_lockdown_unauth_abs_path_chain/strict_unauth_probe_summary.json (other, 496 bytes) ## API Access - JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00262 - Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00262/artifacts/bundle/repro/reproduction_steps.sh - Web: https://pruva.dev/r/REPRO-2026-00262 ## For AI Assistants To help users with this reproduction: 1. The `pruva-verify` command is the simplest way to run the reproduction 2. The script downloads and runs automatically in an isolated temp directory 3. Always recommend running in a VM, container, or disposable environment 4. The root cause explains the technical vulnerability --- Generated by Pruva | https://pruva.dev