{"repro_id":"REPRO-2026-00262","version":6,"title":"ColdFusion 2025 Lockdown: open-RDS unauth direct-Tomcat absolute-path FILEIO RCE confirmed","repro_type":"security","status":"published","severity":"critical","cvss_score":10.0,"description":"Validate the Adobe-reportable ColdFusion 2025 Server Auto-Lockdown chain:","root_cause":"## Summary\n\nCVE-2026-48282 is an Adobe ColdFusion Remote Development Services (RDS) FILEIO path handling flaw reachable through `POST /CFIDE/main/ide.cfm?ACTION=FILEIO`. The patched ColdFusion 2025 Update 10 code rejects `..` directory-traversal segments, but it still accepts attacker-supplied absolute paths and passes them to the real FILEIO read/write operators. In this run, the target was Adobe ColdFusion 2025 Update 10 with the official Server Auto-Lockdown installer successfully applied. Apache lockdown rules blocked `/CFIDE`, but the direct ColdFusion Tomcat endpoint remained reachable. When the RDS deployment precondition `rds.security.enabled=false` was present after lockdown, unauthenticated FILEIO requests read `/etc/passwd`, wrote a CFML payload into the ColdFusion `CFIDE` webroot using an absolute path with no `..`, and executed `/usr/bin/id` as `uid=999(cfuser)`.\n\n## Impact\n\n- **Package/component affected:** Adobe ColdFusion 2025 RDS (`coldfusion.rds.RdsFrontEndServlet`, `coldfusion.rds.FileServlet`, `coldfusion.rds.RdsFileSecurity`) exposed through `/CFIDE/main/ide.cfm?ACTION=FILEIO`.\n- **Affected versions:** This run validated Adobe ColdFusion 2025 Update 10 (`2025,0,10,331899`) in Docker image `adobecoldfusion/coldfusion2025:2025.0.10`, digest/image ID `sha256:a51436584affbca07abe4909620cdd098f81737ba1e5f368410633df9474592a`. Prior ticket context indicates the original issue affected ColdFusion 2025 Update 9 / 2023 Update 20 and earlier, with partial patch/bypass behavior in later fixed builds.\n- **Risk level and consequences:** Critical when RDS is enabled and RDS authentication is disabled or bypassed/reconfigured. An unauthenticated remote attacker can read arbitrary files, write CFML into a web-executable location, and execute commands as the ColdFusion runtime user. In the locked-down Docker target, the demonstrated runtime user was `uid=999(cfuser)`.\n\n## Impact Parity\n\n- **Disclosed/claimed maximum impact:** Unauthenticated remote code execution through RDS FILEIO path traversal/absolute-path bypass.\n- **Reproduced impact from this run:** Code execution through the real ColdFusion HTTP endpoint after official Server Auto-Lockdown evidence was present. The script wrote a CFML template under `/opt/coldfusion/cfusion/wwwroot/CFIDE/` using an absolute path and then executed it over Tomcat, producing `PRUVA_LOCKDOWN_RCE_1783451550-154638:uid=999(cfuser) gid=999(cfuser) groups=999(cfuser)`.\n- **Parity:** `full` for the tested configuration: CF 2025 Update 10 with Server Auto-Lockdown applied and RDS authentication disabled after lockdown. Apache lockdown blocked `/CFIDE`, but the direct Tomcat product endpoint remained exploitable.\n- **Not demonstrated:** The proof does not claim that Apache-fronted `/CFIDE` bypasses the official Apache lockdown rules; the Apache control returned HTTP 404. The proof also does not demonstrate exploitation when `rds.security.enabled=true`; that negative control correctly returned `-100`.\n\n## Root Cause\n\nThe vulnerable path is the RDS FILEIO RPC endpoint. The request body is length-prefixed RDS data where the first FILEIO field is the path and the second field is the operator, such as `READ` or `WRITE`. In ColdFusion 2025 Update 10, `coldfusion.rds.RdsFileSecurity.resolveCanonical()` rejects null/empty paths, null bytes, and path strings containing `..` as a traversal segment. The patch path is active, as demonstrated by the `../` negative control returning:\n\n```text\n-1:The requested path contains directory traversal sequences and was rejected.\njava.io.IOException: The requested path contains directory traversal sequences and was rejected.\n    at coldfusion.rds.RdsFileSecurity.resolveCanonical(RdsFileSecurity.java:61)\n```\n\nHowever, the validation does not enforce that the canonical path remains under an approved RDS root or non-web-executable directory. Absolute paths such as `/etc/passwd` and `/opt/coldfusion/cfusion/wwwroot/CFIDE/<marker>.cfm` contain no `..` segment, so they pass the traversal check and reach `FileServlet$FileReadOperator` or `FileServlet$FileWriteOperator`. When the write target is web-executable, the attacker-controlled CFML runs under the ColdFusion service account.\n\nA fix commit was not available in this Docker-image validation. The effective fix should bind FILEIO operations to an explicit allowed root after canonicalization, reject absolute paths outside that root, and keep RDS disabled/authenticated in production and lockdown profiles.\n\n## Reproduction Steps\n\n1. Run `bundle/repro/reproduction_steps.sh` from the bundle root, for example:\n   ```bash\n   PRUVA_ROOT=/path/to/bundle bash bundle/repro/reproduction_steps.sh\n   ```\n2. The script:\n   - Reuses or starts the real Docker target `adobecoldfusion/coldfusion2025:2025.0.10`.\n   - Verifies the official Server Auto-Lockdown success log in the container.\n   - Records product identity, image digest, lockdown installer checksum, Apache lockdown config, and locked-down filesystem permissions.\n   - Builds real RDS FILEIO binary payloads.\n   - Runs an RDS-authentication negative control (`rds.security.enabled=true`) and confirms unauthenticated FILEIO returns `-100`.\n   - Re-enables the vulnerable RDS precondition (`rds.enabled=true`, `rds.security.enabled=false`) after lockdown.\n   - Sends unauthenticated FILEIO requests through the real ColdFusion Tomcat HTTP endpoint to read `/etc/passwd`, write a CFML marker under `CFIDE`, and execute it.\n   - Confirms Apache `/CFIDE` remains blocked and that `../` traversal is rejected by the patched path.\n3. Expected evidence:\n   - `/etc/passwd` contents in `bundle/logs/post_lockdown_abs_read_passwd.log`.\n   - FILEIO write acknowledgement `1:2:XX` in `bundle/logs/post_lockdown_abs_write_cfide_webshell.log`.\n   - RCE marker and `uid=999(cfuser)` in `bundle/logs/post_lockdown_rce_tomcat.log`.\n   - Apache HTTP 404/403 block in `bundle/logs/post_lockdown_apache_cfide_block.log`.\n   - `RdsFileSecurity.resolveCanonical` traversal rejection in `bundle/logs/post_lockdown_traversal_negative.log`.\n\n## Evidence\n\n- `bundle/logs/product_identity.txt`\n  - ColdFusion version: `2025,0,10,331899`.\n  - Base version: `2025,0,0,331385`.\n  - Docker image/digest: `sha256:a51436584affbca07abe4909620cdd098f81737ba1e5f368410633df9474592a`.\n  - Lockdown installer MD5: `a4c76d478c07f91891c89d260c042318`.\n- `bundle/logs/official_lockdown_success.log`\n  - Contains `ColdFusion Server has been locked down successfully!` from the official installer run.\n- `bundle/logs/lockdown_state.txt`\n  - Shows official Apache lockdown rules including `RedirectMatch 404 (?i).*/CFIDE.*`.\n  - Shows locked-down permissions, including `/app` as `551` and `/opt/coldfusion/cfusion/wwwroot/CFIDE` owned by `cfuser`.\n- `bundle/logs/post_lockdown_auth_enabled_negative.log`\n  - Shows the RDS-authentication negative control: `-100:Unable to authenticate on RDS server using current security information.`\n- `bundle/logs/post_lockdown_abs_read_passwd.log`\n  - Shows absolute-path read of `/etc/passwd` over FILEIO, including `root:x:0:0:root:/root:/bin/bash` and `cfuser:x:999:999::/home/cfuser:/bin/sh`.\n- `bundle/logs/post_lockdown_abs_write_cfide_webshell.log`\n  - Shows successful FILEIO write acknowledgement: `1:2:XX` and HTTP 200.\n- `bundle/logs/post_lockdown_rce_tomcat.log`\n  - Shows command execution result: `PRUVA_LOCKDOWN_RCE_1783451550-154638:uid=999(cfuser) gid=999(cfuser) groups=999(cfuser)`.\n- `bundle/logs/post_lockdown_apache_cfide_block.log`\n  - Shows Apache-fronted `/CFIDE` blocked with HTTP 404, confirming the exploit used the direct Tomcat product endpoint rather than bypassing Apache request filtering.\n- `bundle/logs/post_lockdown_traversal_negative.log`\n  - Shows `../` traversal rejected by `RdsFileSecurity.resolveCanonical`, proving the patched traversal filter is active while absolute paths remain accepted.\n- `bundle/repro/runtime_manifest.json`\n  - Captures runtime entrypoint, service/healthcheck status, proof artifacts, product version, image ID, lockdown checksum, and exploit marker.\n\n## Recommendations / Next Steps\n\n- Enforce canonical-root containment in `RdsFileSecurity.resolveCanonical()` or immediately after it. Canonicalize the requested path, canonicalize the allowed RDS root, and reject any target not contained within the allowed root.\n- Reject absolute paths for RDS FILEIO unless they are explicitly mapped to an approved project/RDS root.\n- Ensure Server Auto-Lockdown either disables RDS completely or guarantees RDS authentication cannot be disabled while the server is in a locked-down/production profile.\n- Do not expose the internal Tomcat port (8500/8501) on production systems; require all external traffic to traverse the hardened webserver connector or firewall.\n- Add regression tests for: absolute `/etc/passwd`-style reads, absolute webroot writes, `../` traversal, URL/encoding variants, and all deployment modes (Apache connector and direct Tomcat).\n- Administrators should upgrade to Adobe's fixed release when available, keep RDS disabled unless strictly required, and audit for unexpected CFML/JSP files under webroots including `CFIDE`.\n\n## Additional Notes\n\n- Idempotency was confirmed: `bundle/repro/reproduction_steps.sh` ran successfully twice consecutively with fresh per-run markers.\n- The proof is product-mode and non-sanitized. It uses real Dockerized Adobe ColdFusion, real Server Auto-Lockdown artifacts, real HTTP requests, and real CFML execution.\n- The exploit requires the RDS exposure/precondition (`rds.enabled=true` and `rds.security.enabled=false`). With RDS authentication enabled, the same unauthenticated FILEIO request is rejected with `-100`.\n- Apache lockdown remains effective for `/CFIDE`; the issue shown here is that the direct Tomcat endpoint remains a product HTTP boundary that can still exercise RDS FILEIO under the vulnerable RDS configuration.\n","cve_id":"CVE-2026-48282","cwe_id":"CWE-22 Path Traversal","source_url":"https://helpx.adobe.com/security/products/coldfusion/apsb26-68.html","reproduced_at":"2026-07-07T19:40:23.438260+00:00","duration_secs":4825.0,"tool_calls":398,"handoffs":3,"total_cost_usd":15.28574741,"agent_costs":{"judge":0.10575025,"repro":15.07590106,"support":0.1040961},"cost_breakdown":{"judge":{"gpt-5.4-mini":0.10575025},"repro":{"accounts/fireworks/routers/glm-5p2-fast":7.025754060000002,"gpt-5.5":8.050147},"support":{"accounts/fireworks/routers/glm-5p2-fast":0.1040961}},"quality":{"confidence":"medium","idempotent_verified":false,"community_verifications":0},"environment":{"sandbox_image":"ghcr.io/n3mes1s/pruva-sandbox@sha256:8096b2518d6022e13d68f885c3b8ded6b4fe607098b1a1ccbfb99abc004d1dc1"},"published_at":"2026-07-07T19:40:44.900188+00:00","retracted":false,"artifacts":[{"path":"bundle/repro/reproduction_steps.sh","filename":"reproduction_steps.sh","size":21223,"category":"reproduction_script"},{"path":"bundle/repro/rca_report.md","filename":"rca_report.md","size":9882,"category":"analysis"},{"path":"bundle/logs/lockdown_detail.log","filename":"lockdown_detail.log","size":460,"category":"log"},{"path":"bundle/repro/adobe_lockdown_preconditioned_rce.md","filename":"adobe_lockdown_preconditioned_rce.md","size":2811,"category":"documentation"},{"path":"bundle/logs/adobe_lockdown_rce/proof.log","filename":"proof.log","size":1084,"category":"log"},{"path":"bundle/repro/validation_verdict.json","filename":"validation_verdict.json","size":850,"category":"other"},{"path":"bundle/repro/runtime_manifest.json","filename":"runtime_manifest.json","size":1291,"category":"other"},{"path":"bundle/logs/bypass_rce_webshell.log","filename":"bypass_rce_webshell.log","size":94,"category":"log"},{"path":"bundle/logs/post_lockdown_tomcat.log","filename":"post_lockdown_tomcat.log","size":96,"category":"log"},{"path":"bundle/logs/post_lockdown_apache.log","filename":"post_lockdown_apache.log","size":330,"category":"log"},{"path":"bundle/repro/adobe_lockdown_unauth_abs_path_chain.md","filename":"adobe_lockdown_unauth_abs_path_chain.md","size":3452,"category":"documentation"},{"path":"bundle/logs/adobe_lockdown_unauth_abs_path_chain/proof.log","filename":"proof.log","size":2449,"category":"log"},{"path":"bundle/logs/adobe_lockdown_unauth_abs_path_chain/strict_unauth_probe_summary.json","filename":"strict_unauth_probe_summary.json","size":496,"category":"other"}]}