Skip to content
feed: live
>_ 0dayNews
adobe
● Breaking

CISA: Patch ColdFusion CVE-2026-48282 by Friday

CISA added Adobe ColdFusion CVE-2026-48282 to KEV on July 7 and set a July 10 federal patch deadline under BOD 26-04. CVSS 10.0. Actively exploited.

CISA: Patch ColdFusion CVE-2026-48282 by Friday
Photo: Adobe / Wikimedia Commons · Public domain
airgap · Published · 2 min read

Confirmed. CISA added CVE-2026-48282 to the Known Exploited Vulnerabilities catalog on July 7. Federal civilian agencies have until Friday, July 10 to patch under BOD 26-04. Two business days from this filing.

The one-line status

  • Product: Adobe ColdFusion 2023 (through update 20) and 2025 (through update 9).
  • Flaw: path traversal → unauthenticated arbitrary code execution.
  • CVSS: 10.0 (NVD, vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
  • Patch: APSB26-68 — ColdFusion 2023 update 21, ColdFusion 2025 update 10. Shipped July 1.
  • Federal due date: 2026-07-10.
  • Exploitation: active, confirmed.

Timeline

What changed since our last filing

Two things.

First: CISA is on the catalog now. That was the outstanding gap on our July 6 writeup — CCCS had confirmed exploitation, CISA had not yet listed. Listed as of yesterday. The catalog entry cites the same Adobe advisory and NVD record we already had.

Second: the federal deadline is 48-72 hours, not the BOD 26-04 default. CISA rarely compresses BOD timelines below two weeks — a two-day due date signals CISA is treating this as an urgent, active campaign, not a housekeeping addition. Read that as a strong exploitation signal on top of the CCCS confirmation, not a duplicate one.

Confidence labels

  • Exploitation in the wild: confirmed (CCCS 2026-07-02, CISA KEV 2026-07-07).
  • Attribution: unconfirmed. No named actor, no campaign name in either CISA’s or CCCS’s public wording. Treat as unattributed until a vendor with telemetry publishes one.
  • Scale of compromise: unconfirmed. Shadowserver’s ~800 count from July 6 is exposure, not compromise. No public IR firm has posted a victim count as of this filing.
  • Whether the four-CVE KEV batch is one campaign: unconfirmed. The other three (Langflow and two Joomla builders, covered here) are unrelated products with a different due date (July 10 for the Langflow/Joomla trio as well, but under a separate line). Do not infer a shared operator from a shared listing day.

Action

Patch. If your ColdFusion 2023 boxes aren’t on update 21 or your 2025 boxes aren’t on update 10 by Friday, and either one is reachable from an untrusted network, you are outside the window CISA is signalling. Non-federal readers: BOD 26-04 does not bind you, but the exploitation status underneath it does. Same patch, same day, different letterhead.

One specific detail before closing: the KEV entry cross-references CISA’s BOD 26-04 forensics triage requirements. If you have federal reporting obligations and a ColdFusion box was internet-reachable and unpatched between June 30 and today, the forensics triage instructions apply regardless of whether you find evidence of compromise. Read them before you decide what “we patched, we’re done” looks like on this one.

Sourcing

Found this useful? Share it.