TL;DR
- what: Adobe ColdFusion's maximum-severity flaw CVE-2026-48282 is being actively exploited for unauthenticated remote code execution just days after the July 1, 2026 patch shipped.
- impact: Attackers can run code on unpatched, internet-facing ColdFusion servers with no credentials and no user interaction, giving them a foothold for data theft and lateral movement.
- fix: Apply Adobe's July 1, 2026 updates immediately, upgrading past ColdFusion 2025.9 and 2023.20; Adobe recommends deployment within 72 hours.
- who: Any organization running an internet-exposed ColdFusion 2025, 2023, or earlier server, with roughly 800 instances currently visible online.
Adobe ColdFusion is back in the crosshairs. CVE-2026-48282, a maximum-severity remote code execution flaw, is now being exploited in real attacks less than a week after Adobe shipped a fix. The bug requires no authentication, no privileges, and no user interaction, which puts it in the worst tier of exposure for any internet-facing server.
Adobe released the patch on July 1, 2026. By July 3, Canada's Cyber Centre (CCCS) was warning of active exploitation in the wild, citing open-source reporting of attacks. That is a two-day gap between fix and abuse, and it tells you everything about the operational tempo defenders are now working against.
What the flaw does
CVE-2026-48282 is an unauthenticated remote code execution vulnerability. Adobe describes the attack as low-complexity, meaning an attacker needs no special conditions to line up. Send the right request to a vulnerable ColdFusion instance and you get code execution on the underlying host. From there the usual playbook applies: drop a web shell, harvest credentials, pivot into the internal network.
ColdFusion has a long history as a soft target. It frequently runs on externally reachable application servers, often sits behind aging deployments that lag on patches, and has repeatedly been dragged into Adobe's Known Exploited Vulnerabilities cycle. A max-severity, unauthenticated RCE on this platform is close to a worst case.
Affected and patched versions
- ColdFusion 2025.9 and earlier are vulnerable
- ColdFusion 2023.20 and earlier are vulnerable
- Older, unsupported branches are also at risk
- Adobe's July 1, 2026 security updates contain the fix
⚠️ Patch inside 72 hours — Adobe is not using its normal priority language here. It recommends deploying the update within 72 hours, a timeline reserved for flaws under active attack or at high risk of it. Treat this as an emergency change, not a routine patch cycle.
How exposed is your fleet
Shadowserver is tracking roughly 800 ColdFusion instances reachable over the internet. Not all of them are necessarily vulnerable or unprotected, but that number is the addressable attack surface a scanning adversary sees. Given the two-day turnaround from patch to exploitation, assume any exposed and unpatched instance is already being probed.
The 800-instance figure also understates the real risk. Plenty of ColdFusion runs on internal networks or behind reverse proxies that Shadowserver cannot see, and those become reachable the moment an attacker gets an initial foothold elsewhere. The public count is the front door, not the whole building.
What to do now
- Inventory every ColdFusion instance, including forgotten internal and staging servers, not just the ones you think are exposed
- Apply Adobe's July 1, 2026 updates immediately, prioritizing internet-facing hosts
- If you cannot patch at once, pull the server off the public internet or put it behind strict access controls until you can
- Hunt for compromise: review web server logs, look for new or modified .cfm/.jsp files, unexpected outbound connections, and web shells
- Rotate credentials and secrets stored on or accessible from any ColdFusion host that was exposed before patching
Assume breach on exposed hosts — Because exploitation began within 48 hours of the patch, patching alone is not enough for any instance that was internet-facing during that window. Pair the update with active threat hunting and, where warranted, incident response, before you call it closed.
Bottom line
CVE-2026-48282 checks every box that turns a vulnerability into a mass-exploitation event: maximum severity, unauthenticated, low complexity, a widely deployed target, and confirmed attacks days after disclosure. Adobe's 72-hour guidance is the tell. Get the July 1 update onto every ColdFusion server you own, verify it, and go looking for anyone who beat you to it.
Originally published on RedEye Threat Intelligence.
Top comments (0)