Adobe ColdFusion Flaw Now Exploited in Attacks
What happened
Attackers are now exploiting a maximum-severity Adobe ColdFusion vulnerability tracked as CVE-2026-48282. The flaw affects ColdFusion 2025.9, 2023.20, and earlier versions, and can be exploited remotely by attackers without privileges to gain code execution on unpatched systems.
Adobe released security updates for the flaw and warned that the issue posed a high risk of exploitation. The company urged administrators to install the update as soon as possible, recommending deployment within 72 hours. KEVIntel founder Ryan Dewhurst later said exploitation was captured in a global honeypot network within two hours of public details becoming available.
The Canadian Centre for Cyber Security also urged defenders to secure affected systems after open-source reporting indicated that CVE-2026-48282 was being exploited. Shadowserver is tracking nearly 800 Adobe ColdFusion instances exposed online, though it is not clear how many are honeypots or how many have already been patched or protected.
The ColdFusion flaw was part of a broader Adobe patch release that fixed six maximum-severity vulnerabilities across ColdFusion and Campaign Classic. Adobe has not flagged those other issues as actively exploited, but they are also low-complexity vulnerabilities that do not require user interaction and are considered at high risk of being targeted.
Who is affected
Organizations running Adobe ColdFusion 2025.9, 2023.20, or earlier versions are directly affected if they have not installed the latest security updates.
Internet-exposed ColdFusion servers face the highest risk because attackers can exploit the vulnerability remotely without needing privileges.
Organizations using ColdFusion for enterprise websites, internal applications, portals, or business-critical web services should treat exposed and unpatched instances as urgent remediation targets.
Why CISOs should care
This incident shows how quickly public vulnerability details can turn into real exploitation. KEVIntel observed exploitation within two hours of disclosure, leaving little time for slow patch cycles or manual review processes.
For CISOs, the unauthenticated remote code execution risk is especially serious. A vulnerable ColdFusion server may provide attackers with a path into web applications, backend systems, credentials, application data, or internal infrastructure.
The exposed-asset angle also matters. Shadowserver is tracking nearly 800 internet-facing ColdFusion instances, which means attackers have a reachable target pool to scan and exploit.
The broader Adobe context reinforces the need to prioritize exploited and high-risk enterprise software flaws. BleepingComputer noted that CISA has added 79 Adobe product vulnerabilities to its known exploited catalog since November 2021, with 10 also abused in ransomware attacks.
3 practical actions
Patch affected ColdFusion servers immediately: Adobe urged administrators to install the update as soon as possible, recommending deployment within 72 hours. CISOs should prioritize all internet-facing ColdFusion instances and confirm that fixed versions are actually deployed.
Identify exposed ColdFusion assets: Shadowserver is tracking nearly 800 exposed ColdFusion instances. Security teams should scan their environments, review external attack surface inventories, and confirm whether any ColdFusion systems are publicly reachable.
Hunt for post-exploitation activity: Because the flaw allows remote code execution without privileges, defenders should review web server logs, ColdFusion logs, newly created files, suspicious process execution, unexpected outbound connections, and signs of web shell deployment.
More cybersecurity news:


