Critical ColdFusion Bug Under Active Attack
Adobe is urging every organization running Adobe ColdFusion to apply the latest patches immediately. A maximum severity vulnerability — rated a perfect 10 on the CVSS scale — is already being exploited in the wild.
The company released fixes for 11 CVEs on June 30 as part of bulletin APSB26-68. Six of those vulnerabilities received the highest possible severity score. Security researchers flagged that one of them, CVE-2026-48282, was targeted within hours of the bulletin going public.
It’s a path traversal weakness in the popular web application development platform. If exploited, it can lead to arbitrary code execution — giving attackers full control over the affected server.
According to data from the ShadowServer Foundation, there are 775 exposed ColdFusion instances online. That’s a relatively small attack surface, but each one represents a potential entry point into a corporate network.
What Makes This Adobe ColdFusion Flaw So Dangerous
Maximum severity bugs are rare. A CVSS score of 10 means the vulnerability is trivial to exploit and requires no user interaction. An attacker doesn’t need to trick an admin into clicking a link or opening a file. They can simply send a crafted request to the server and compromise it.
CVE-2026-48282 fits that description perfectly. It’s a path traversal flaw — a type of bug that lets an attacker read or write files outside the intended directory. In ColdFusion’s case, that can escalate to full remote code execution.
At the time of writing, CVE-2026-48282 and the other vulnerabilities listed in APSB26-68 were not yet in CISA’s Known Exploited Vulnerabilities catalog. That will almost certainly change in the coming days.
Adobe Changes Its Patching Cadence
Adobe is also changing how often it ships security updates. Starting this year, the company moved from a monthly to a twice-monthly publication schedule for security advisories.
Chief security officer Aanchal Gupta explained the reasoning: “Twice-monthly bulletins will enable us to keep pace with the era of frontier AI. More vulnerabilities found means more fixes to deploy and a once-a-month publication window is no longer fast enough to stay ahead of our adversaries.”
Gupta added that the new cadence is a direct result of investing in improved vulnerability discovery. “AI accelerates discovery, but resilience still rests on the fundamentals: visibility, layered controls, continuous monitoring, and the discipline to ship fixes quickly once they are found.”
It’s a clear acknowledgment that attackers are moving faster than ever. The exploitation of this Adobe ColdFusion flaw within hours of the patch proves that point.
ColdFusion Remains a Prime Target
Adobe said it is not aware of any other exploits in the wild for CVE-2026-48282 or the other flaws published in APSB26-68. But the company’s own history suggests caution is warranted.
In 2023, threat actors targeted ColdFusion in a wave of attacks — using them for crypto-mining, DDoS operations, and other malicious activity. The platform is a popular target because it often sits on internal networks and runs with high privileges.
For defenders, the message is simple: patch now. A vulnerability with a CVSS score of 10 that’s already being exploited is not something to leave for the next maintenance window.
What Administrators Should Do Right Now
If you run any version of ColdFusion, here are the immediate steps:
- Review Adobe’s APSB26-68 security bulletin and identify your affected version.
- Apply the latest patch immediately — do not wait for a scheduled maintenance window.
- Check your logs for signs of exploitation, particularly unusual file access or unexpected process execution.
- Ensure your ColdFusion instance is not directly exposed to the internet unless absolutely necessary.
- Monitor CISA’s Known Exploited Vulnerabilities catalog for updates related to CVE-2026-48282.
The window between disclosure and exploitation is shrinking. This Adobe ColdFusion flaw is the latest reminder that patching speed matters more than ever.