ENKVA #013 — ColdFusion RDS path-traversal RCE hits KEV, exploited in the wild
If you run Adobe ColdFusion — and a lot of shops still do, tucked inside a client's legacy web app — patch it this week. CVE-2026-48282 is a path-traversal flaw in ColdFusion that NVD rates CVSS 10.0, the maximum. Per NVD, it "could lead to arbitrary code execution in the context of the current user," and "exploitation of this issue does not require user interaction." CISA added it to the Known Exploited Vulnerabilities catalog on July 7 with a July 10 due date, and it is already under attack.
The bug lives in ColdFusion's Remote Development Services (RDS) — the feature an IDE uses to talk to a running ColdFusion server over HTTP. Help Net Security reports that "exploitation attempts were detected on July 2, through the honeypot sensors of cybersecurity threat-intelligence service KEVIntel," and describes the flaw as one that "may allow remote, unauthenticated attackers to achieve arbitrary code execution by sending a specially crafted HTTP request." Adobe patched it in bulletin APSB26-68.
There is one precondition that decides whether you are exposed. Per Help Net Security, "attackers must target ColdFusion servers on which RDS is enabled (and it's not, by default), and authentication for it is disabled." So the worst case is a server that runs RDS with RDS authentication turned off — a development-time setting that often gets left on in production. That narrows the blast radius from "every ColdFusion install" to "every ColdFusion install where RDS is on and unauthenticated," which is the first thing to check.
Per NVD, the affected builds are "ColdFusion versions 2025.9, 2023.20 and earlier." The fixed releases are ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21. ColdFusion has a long history as a target: an unauthenticated, maxed-out RCE on an internet-reachable app server is the exact shape attackers automate, and the July 2 honeypot hits confirm scanning is live.
This is the profile BOD 26-04 — the risk-based KEV directive we covered in #010 — puts in its shortest tier: internet-exposable, on KEV, automatable, and granting full control. All four of this week's KEV additions landed on that three-day floor (July 7, due July 10). The directive binds federal agencies, not you, but the tiering is a clean filter, and it points straight at your internet-facing web stack.
What to do this week:
- Inventory every ColdFusion server and check RDS. Find each ColdFusion install you run — including the ones buried inside a client's legacy application — and check whether RDS is enabled and whether RDS authentication is on. An RDS-enabled server with authentication disabled is the urgent case.
- Patch to 2025 Update 10 or 2023 Update 21. Anything on 2025.9, 2023.20, or earlier is affected. Apply the update per Adobe's bulletin, and disable RDS entirely on any production server that does not need it.
- Get the server off the open internet and assume compromise if it was exposed. Put ColdFusion behind a VPN or reverse proxy rather than a public port. If an internet-reachable server was running unpatched with RDS open, treat it as potentially breached — review it for web shells and unexpected files before you call it clean.
Advisories
Two Joomla page-builder plugins take unauthenticated file-upload RCEs — both exploited
If you host Joomla sites for clients, two page-builder extensions landed on KEV this week with the same failure mode: unauthenticated file upload that ends in remote code execution. CVE-2026-48908 (CVSS 9.8) in SP Page Builder by JoomShaper lets "unauthenticated users upload arbitrary files, ultimately resulting in the upload and execution of PHP code." The affected range is SP Page Builder 1.0.0 through 6.6.1, fixed in 6.6.2 — and it is already exploited, with the payload planting "a hidden Super Administrator account, usually with an @secure.local email, plus a PHP file manager backdoor."
Action: update SP Page Builder to 6.6.2. Then check exploited sites for the tell: a Joomla super-admin account you did not create — an @secure.local address is the reported marker — plus stray PHP files in the media directories. KEV catalog.
PageBuilder CK carries the same bug on a different Joomla plugin
The second one is CVE-2026-56290 (CVSS 9.8) in PageBuilder CK by Joomlack, which NVD describes as "an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE." Per the advisory, it affects "every version up to and including 3.5.10," fixed in 3.6.0 (released June 27, 2026). It is exploited too: researchers found a web shell named bhup.php at /media/com_pagebuilderck/gfonts/bhup.php.
Action: update PageBuilder CK to 3.6.0 or the back-ported fix for your Joomla branch. Grep exploited or unpatched sites for bhup.php under /media/com_pagebuilderck/ and audit the media folders for other planted PHP. If a client's Joomla site runs either builder and was internet-facing, patch first and hunt for the backdoor second. KEV catalog.
Langflow IDOR lets one tenant run another tenant's AI flows
If a client runs Langflow — an open-source builder for AI agents and workflows — CVE-2026-55255 is on KEV (added July 7, due July 10) at CVSS 8.4. Per NVD, prior to 1.9.1 an Insecure Direct Object Reference in the /api/v1/responses endpoint "allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request." It needs a logged-in low-privileged account, but on a shared Langflow instance that is a low bar.
Action: upgrade Langflow to 1.9.1 or later per the GitHub advisory. If any client stood up a multi-user Langflow instance, treat it like any other multi-tenant app: patch it, keep it off the open internet, and confirm authenticated users cannot reach each other's flows. KEV catalog.
Product changes
Enterprise App Management apps can now auto-update
In Intune service release 2606, Enterprise App Management gained automatic updates: "when you enable auto-update for an EAM app with a required assignment, Intune detects when a newer version is available in the EAM catalog and automatically updates the app on targeted devices," per the Intune What's new page. It replaces the manual packaging-and-supersedence dance for cataloged apps.
Action: if you keep third-party apps current by hand through supersedence chains, turn on auto-update for the EAM apps in your required assignments and let the catalog drive it. Pilot on one app you control before you flip it fleet-wide. Release notes.
Intune adds an Android setting to block apps exposing functions to AI agents
Also in 2606, the settings catalog picked up a new Android Enterprise control, Block apps from exposing app functions, which "controls whether managed apps can expose app functions — programmatic actions that other apps and on-device assistants or AI agents can invoke inside the app," per the June 29 notes.
Action: on-device AI assistants that can invoke actions inside your managed apps are a new data-egress and automation surface. If you manage corporate Android and do not want third-party assistants driving your line-of-business apps, this setting is where you close that path. Scope it in a test policy before broad rollout. Release notes.
Microsoft Tunnel supports RHEL 9.7
Microsoft Tunnel Gateway "now supports Red Hat Enterprise Linux (RHEL) 9.7 as a Linux server distribution," per the 2606 notes — but the support "requires the use of Podman 5.8.2 as its default container engine."
Action: if you run Microsoft Tunnel on RHEL, you can move to 9.7, but note the container-engine dependency. Microsoft warns that "customers upgrading from environments using Podman v3 containers should recreate containers and reinstall Microsoft Tunnel," so plan a rebuild rather than an in-place bump. Release notes.
Defender adds an Active Directory domain investigation page
Defender XDR's July update shipped a Domain investigation page (GA) that "allows you to investigate an Active Directory domain," surfacing "domain properties, deployment health, identity summary, service account breakdown, sensitive entities, active recommendations, group policies, and trust relationships" in one view.
Action: for anyone running Defender for Identity on hybrid AD, this folds the domain-level context — service accounts, trusts, group policy — into a single investigation page. Next time you chase a suspicious identity, start from the domain view to see the service-account and trust picture around it. What's new.
Licensing
Intune Suite capabilities move into Microsoft 365 E3 and E5
Microsoft is "adding several Intune Suite capabilities to Microsoft 365 E3 and Microsoft 365 E5 to enable more organizations to use advanced endpoint management and security without a separate add-on," per the Intune What's new page. EMS E3 — included with Microsoft 365 E3 — gains Remote Help, Advanced Analytics, and Intune Plan 2 (which includes Microsoft Tunnel for MAM, specialty device management, and firmware over-the-air updates). Microsoft 365 E5 gains all of that plus Endpoint Privilege Management, Enterprise Application Management, and Microsoft Cloud PKI.
Action: if you pay for the Intune Suite add-on or buy Remote Help separately for E3/E5 clients, check what you are now entitled to before your next renewal — you may be double-paying for features that are now in the base license. Microsoft says "these capabilities are gradually rolling out. Eligible tenants are automatically provisioned, and no action is required," so confirm what has landed in each tenant's admin center rather than assuming a date. Release notes.
Compliance
Updated Microsoft 365 Apps security baseline (v2512) lands in Intune
Intune now carries an updated security baseline for Microsoft 365 Apps for Enterprise, version v2512, which "skips the previously published version found in the Security Compliance Toolkit (v2412)," per the 2606 notes.
Action: if you enforce the M365 Apps baseline, review v2512 against your current profile before adopting it — and note the gap. Three settings are not in this release yet: "Require macros to be signed by a trusted publisher," "Block certificates originating from the current user store only," and "Require Extended Key Usage (EKU) for code signing." If you rely on the trusted-publisher macro control, keep your existing enforcement in place until those return. Release notes.
Field notes
Microsoft details MCP tool-poisoning attacks against AI agents
Microsoft wrote on June 30 about tool-poisoning attacks on AI agents that use the Model Context Protocol — a technique it notes was "first disclosed by Invariant Labs in April 2025 and observed in 2026." The attack modifies a tool's description metadata to redirect an agent's behavior toward unauthorized actions, all within the agent's approved permissions, so it reads as normal operation rather than an exploit.
Action: if you or your clients are wiring up MCP-connected agents, Microsoft's guidance is concrete: "maintain a tenant-level allowlist of approved MCP publishers and servers," "disable Allow all on MCP connections and enable only the specific tools an agent needs," and "for high-impact actions such as financial data access, external sharing, or account changes, configure human-in-the-loop approval." Treat a tool-description change on a critical agent like a system-prompt change — review it, do not auto-trust it. Microsoft analysis.
Add a comment: