Adobe ColdFusion

Critical Adobe Vulnerability Actively Exploited

ColdFusion security, CVE-2026-48282, Adobe ColdFusion CVE-2026-48282 actively exploited, Adobe, Adobe ColdFusion vulnerability, critical vulnerability
Facebook
X
LinkedIn
Reddit
WhatsApp
Sourcre: chrisdorney/Shutterstock.com

A critical Adobe ColdFusion vulnerability with the maximum CVSS score of 10 is being actively exploited in the wild. Attackers began targeting affected systems within just two hours.

A critical security flaw in the web development platform Adobe ColdFusion, tracked as CVE-2026-48282, is currently being exploited in cyberattacks. The vulnerability received the highest possible severity rating in the Common Vulnerability Scoring System (CVSS) with a score of 10 out of 10.

Ad

The flaw is a so-called path traversal vulnerability affecting the Remote Development Services (RDS) FILEIO handler. Unauthenticated attackers can send specially crafted HTTP requests over the network to write arbitrary files to the server and execute malicious code with the privileges of the ColdFusion service account.

Affected versions include ColdFusion 2025 Update 9 and earlier, as well as ColdFusion 2023 Update 20 and earlier.

Rapid Exploitation After Adobe Disclosure

Adobe released patched software versions on June 30, 2026, as part of security bulletin APSB26-68. The updates include ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.

Ad

At the time of the announcement, Adobe stated that it had no evidence of active exploitation. However, the specialized security platform KEVIntel detected attacks in real time shortly after security researchers published detailed technical analyses on July 2.

Ryan Dewhurst, founder of KEVIntel, said: “KEVIntel has captured exploitation in the wild within our global honeypot network.”

International Cybersecurity Agencies Issue Warnings

Following confirmed exploitation activity, government cybersecurity agencies responded with alerts. The Canadian Centre for Cyber Security issued a warning, and the US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on July 7, 2026.

Piyush Sharma, CEO of IT company Tuskira, commented on the incident:

“Adobe moved quickly to release a patch, but we are seeing how dramatically the decision window has narrowed. Reports indicate that attackers began exploiting the vulnerability within two hours of public disclosure, long before many organizations could realistically validate, prioritize, test, and deploy patches in production environments.”

Piyush Sharma, CEO of Tuskira

A successful attack requires the RDS feature to be enabled and the associated authentication mechanism to be either unconfigured or disabled.

(ll)

Ad

Artikel zu diesem Thema

Weitere Artikel