Adobe ColdFusion Max-Severity RCE Exploited Within Hours of Patch Release
CVE-2026-48282 in Adobe ColdFusion 2025.9, 2023.20 and earlier enables unauthenticated remote code execution; active exploitation confirmed within two hours of disclosure.
Attack Brief
TargetAdobe ColdFusionVectorUnauthenticated remote code execution via unspecified vulnerabilityAttributionunattributed
Technical Details
CVE IDsCVE-2026-48282AffectedColdFusion versions 2025.9, 2023.20, and earlier
Impact
Confirmed DamageActive exploitation in the wild; approximately 800 Adobe ColdFusion instances exposed online tracked by ShadowserverGeographyCanada
Mitigation
PatchesAdobe released security updates on Tuesday, July 1, 2026WorkaroundsAdobe recommends administrators install updates within 72 hours
Context
Similar AttacksAdobe previously released patches for six maximum-severity flaws in ColdFusion and Campaign Classic platforms, all exploitable via low-complexity attacks without user interaction