Max severity Adobe ColdFusion flaw now exploited in attacks

Max severity Adobe ColdFusion flaw now exploited in attacks

Max severity Adobe ColdFusion flaw now exploited in attacks

https://www.bleepingcomputer.com/news/security/max-severity-adobe-coldfusion-flaw-now-exploited-in-attacks/

Publish Date: 2026-07-06 09:18:00

Source Domain: www.bleepingcomputer.com

Attackers are now exploiting a maximum-severity Adobe ColdFusion vulnerability tracked as CVE-2026-48282, according to vulnerability intelligence company KEVIntel.

ColdFusion is a commercial web app development platform designed to help build and deploy enterprise-grade websites. The CVE-2026-48282 security flaw affects ColdFusion versions 2025.9, 2023.20, and earlier, and can be exploited by attackers without privileges to gain remote code execution on unpatched systems.

Adobe released security updates on Tuesday to address the vulnerability, saying that it posed a high risk of exploitation and urging admins to deploy patches immediately.

image

“This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform,” Adobe noted. “Adobe recommends administrators install the update as soon as possible (for example, within 72 hours).”

Two days later, KEVIntel founder Ryan Dewhurst warned that threat actors began exploiting CVE-2026-48282 within two hours of Adobe’s disclosure.

“Within under two hours of CVE-2026-48282 public details being released, KEVIntel captured in-the-wild exploitation within our global honeypot network,” Dewhurst said.

The Canadian Center for Cyber Security (CCCS), the Government of Canada authority that coordinates the country’s national response to cybersecurity incidents, also urged defenders to secure their systems against ongoing attacks.

“Open-source reporting indicates that CVE-2026-48282 is being exploited,” the CCCS said. “The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.”

Internet security watchdog Shadowserver now tracks nearly 800 Adobe ColdFusion instances exposed online, but there is no information on how many are honeypots or have been secured against attacks targeting the CVE-2026-48282 flaw.

Adobe ColdFusion instances exposed onlineAdobe ColdFusion instances exposed…

Source