Adobe ColdFusion CVE-2026-48282 hits CVSS 10 — active exploitation confirmed
A max-severity unauthenticated path-traversal-to-RCE in ColdFusion 2023 and 2025 is under active attack. Adobe's 72-hour patch window has already passed. Shadowserver counts ~800 exposed instances.
Adobe patched a CVSS 10.0 path-traversal-to-RCE in ColdFusion on July 1 as APSB26-68. Twenty-four hours later, the Canadian Centre for Cyber Security warned attackers were already exploiting it. BleepingComputer wrote it up on July 6; Shadowserver is tracking around 800 exposed instances. The 72-hour patch window Adobe called for expired Friday.
Here’s what changed and what to do about it.
What is broken
CVE-2026-48282 is a path-traversal flaw (CWE-22) in Adobe ColdFusion that permits arbitrary code execution without authentication or user interaction. Per NVD, the CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H — network, low complexity, no privileges, no interaction, scope-change, and full triad impact. That is the shape of a bug that gets pointed at internet-exposed application servers by every commodity operator with a scanner and a shell of their choice.
Affected builds:
- ColdFusion 2023 — update 20 and earlier
- ColdFusion 2025 — update 9 and earlier
Adobe’s advisory is APSB26-68, published June 30, 2026. NVD picked it up the same day.
I am not going to walk through the traversal path or the RCE chain that follows. The bug class is well-known — a path-traversal that lets an attacker reach a code-executing sink — and every ColdFusion admin needs to know two things: it is a CVSS 10 unauth RCE, and there is a patch. Read Adobe’s advisory if you want more depth.
What is confirmed exploited
Per BleepingComputer’s July 6 coverage, the Canadian Centre for Cyber Security warned last Thursday (July 2) that CVE-2026-48282 is being exploited in attacks. That is one government CERT saying “in the wild” on the record.
What is not confirmed as of this writing:
- A named threat actor.
- CISA KEV listing. The catalog has not added CVE-2026-48282 at the time of publication. Check the KEV catalog directly; if it lands there this week, that is your federal civilian deadline notice and I would expect it within days given the CCCS confirmation.
- A number for how many of Shadowserver’s ~800 exposed instances are already compromised versus honeypots versus already patched. Shadowserver just counts what is reachable and running a vulnerable build banner.
Confidence is high enough on exploitation to move on the patch today. It is not high enough to publish a threat-actor attribution.
What Adobe changed
Adobe shipped the fix in the July 1 out-of-band update. The patched build IDs, per APSB26-68:
- ColdFusion 2023 — update 21
- ColdFusion 2025 — update 10
Adobe rated the patch Priority 1 and asked customers to apply within 72 hours. Those 72 hours ended Friday, July 3. If your ColdFusion boxes are still on the vulnerable build today, you are past Adobe’s own deadline — not that Adobe’s clock is the one that matters, since the one that matters is the CCCS-confirmed one, and that one is already running too.
What to do — in priority order
1. Patch every internet-facing ColdFusion server today.
If you have ColdFusion 2023 running on a public IP, update to update 21. If you have 2025, go to update 10. This is the one action that materially reduces risk. Do it before you close this tab. If you can’t patch this hour, take the box off the public internet — put it behind an application firewall or VPN — until you can. A ColdFusion server on the open internet, unpatched today, is not something you own; it is a soft target you rent by the hour to whoever gets there first.
2. Then patch the internal ColdFusion servers.
Internal-only doesn’t mean safe. Path-traversal-to-RCE is exactly the kind of bug that gets used for lateral movement after an initial phish or a compromised VPN cred. Anywhere your inventory shows ColdFusion, patch it this week — internal instances by end of Friday if you can.
3. Hunt for exploitation on any box that was exposed and unpatched between June 30 and now.
Approximate window: the advisory dropped June 30, active exploitation was flagged July 2. Any internet-facing ColdFusion instance that spent time in that window on the vulnerable build should be treated as potentially reached. Concrete pull for the IR team:
- Web-server access logs for anomalous requests to ColdFusion endpoints, particularly ones with encoded traversal sequences hitting file-handling routes.
- Process telemetry: new child processes from the ColdFusion service account (
cfusion, or however you have named it) —cmd.exe,powershell.exe,sh, unexpectedjavachildren, anything spawning outside the normal application flow. - File integrity: unexpected new
.cfm/.cfcfiles in web roots, unexpected files written under the ColdFusion install path. - Outbound network from the ColdFusion host to unfamiliar destinations — small, low-volume beacons especially.
Nothing here is exotic. It is the standard “assume compromise, prove it isn’t” pull, applied to a web tier that shouldn’t have new child-process activity in the first place.
4. If ColdFusion is not business-critical, plan to retire it.
This is the fourth ColdFusion CVE in the CVSS-9-or-above range in the last three years. The install base is not big, the attacker interest is very much there, and the honest read is that ColdFusion is a niche legacy platform that keeps attracting critical unauth RCEs. If yours is holding up one internal reporting app that could be rewritten in a modern stack in a quarter, put “sunset ColdFusion” on the roadmap. That is not a today action; the patch is a today action.
5. Do not rewrite your web-tier policy over this one.
Every quarter or two a CVSS-10 lands on some web app server. Your job is to patch it and log the response time. If your process moved on this within 72 hours, that is your process working — don’t over-index. If it didn’t, that is the thing to change, not the ColdFusion policy specifically.
Priority call
Patch every internet-facing ColdFusion 2023 to update 21 and every 2025 to update 10 today. Take unpatched public instances offline if you can’t patch in-place this hour. Then hunt the exposure window. Everything else on this list is worth doing only after those two are done.
Sources
- Adobe. Security update available for Adobe ColdFusion — APSB26-68. Adobe Security Bulletin, June 30, 2026.
- NVD. CVE-2026-48282. NIST National Vulnerability Database, published June 30, 2026.
- Sergiu Gatlan. Max severity Adobe ColdFusion flaw now exploited in attacks. BleepingComputer, July 6, 2026.
- Canadian Centre for Cyber Security. Alerts and advisories. CCCS confirmed active exploitation on July 2, 2026 per BleepingComputer’s reporting above.
- CISA. Known Exploited Vulnerabilities Catalog. Not listed at time of publication.
Found this useful? Share it.


