[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9pr8YNsngMPZoGizueMO5o2TX3jeQEroiEF3IiHIrI4":3},{"article":4,"iocs":52},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"0512a15c-1f44-4e1d-84e1-749b9e7a464d","CISA orders feds to patch max severity ColdFusion flaw by Friday","cisa-orders-feds-to-patch-max-severity-coldfusion-flaw-by-friday-0e40a0","The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered government agencies to patch an actively exploited maximum-severity flaw in the Adobe ColdFusion commercial web app development platform by Friday. [...]","CISA has mandated that U.S. federal agencies patch CVE-2026-48282, a critical remote code execution flaw in Adobe ColdFusion versions 2025.9, 2023.20, and earlier, by Friday under Binding Operational Directive BOD 26-04. The vulnerability is being actively exploited in the wild, with attackers beginning attacks within two hours of Adobe's patch disclosure. Adobe released fixes one week prior and recommended immediate deployment, while security organizations including the Canadian Center for Cyber Security warned of ongoing attacks.","CISA orders federal agencies to patch actively exploited maximum-severity ColdFusion vulnerability by Friday.","CISA orders feds to patch max severity ColdFusion flaw by Friday By Sergiu Gatlan July 8, 2026 03:16 AM 0 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered government agencies to patch an actively exploited maximum-severity flaw in the Adobe ColdFusion commercial web app development platform by Friday. The vulnerability (CVE-2026-48282) affects ColdFusion versions 2025.9, 2023.20, and earlier, and can be exploited by remote threat actors without privileges in low-complexity attacks to gain code execution on unpatched systems. Adobe released security updates one week ago to address the security flaw and urged admins to deploy patches immediately, saying that it posed a high risk of exploitation. \"This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform,\" the company said. \"Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours).\" KEVIntel founder Ryan Dewhurst warned two days after Adobe issued patches that attackers had begun exploiting CVE-2026-48282 within two hours of Adobe's disclosure, while the Canadian Center for Cyber Security (CCCS) encouraged network defenders to secure their systems against these ongoing attacks. Internet security watchdog group Shadowserver currently tracks nearly 800 Adobe ColdFusion instances exposed online, but there is no information on how many are honeypots or have been secured against attacks targeting the CVE-2026-48282 flaw. Internet-exposed ColdFusion instances (Shadowserver) On Tuesday, CISA added CVE-2026-48282 to its list of vulnerabilities actively exploited in attacks and ordered U.S. Federal Civilian Executive Branch (FCEB) agencies to patch their systems by Friday, June 10, as required by Binding Operational Directive (BOD) 26-04. BOD 26-04, which was published last month, requires federal agencies to prioritize patching based on whether flaws are included in CISA's KEV catalog, whether their exploitation can be automated for large-scale attacks, whether vulnerable assets are exposed online, and whether successful exploitation grants the attackers partial or total control of the targeted device. Last week, Adobe also patched six other maximum-severity flaws in the ColdFusion web app development and Campaign Classic marketing automation platforms, all of which were tagged as high risk of being targeted. However, the company has yet to flag any of them as exploited in the wild, saying that it \"is not aware of any exploits in the wild for any of the issues addressed in these updates.\" In early April, Adobe also released emergency updates for an Acrobat Reader vulnerability (CVE-2026-34621) that had been exploited as a zero-day since December 2025. Since November 2021, CISA has added 80 vulnerabilities in Adobe products to its list of actively exploited security flaws, 10 of which have also been abused in ransomware attacks. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Max severity Adobe ColdFusion flaw now exploited in attacksCISA: Microsoft SharePoint RCE flaw now actively exploitedAdobe patches seven max severity ColdFusion, Campaign flawsCISA: Windows BlueHammer flaw now exploited by ransomware gangsCISA orders feds to patch BlueHammer flaw exploited as zero-day","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcisa-orders-feds-to-patch-max-severity-coldfusion-flaw-by-friday\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F04\u002F08\u002FCISA.jpg","2026-07-08T07:16:55+00:00","2026-07-08T08:00:20.157715+00:00",9,[18,21,24,26,28],{"name":19,"type":20},"Adobe","vendor",{"name":22,"type":23},"ColdFusion","product",{"name":25,"type":23},"Campaign Classic",{"name":27,"type":20},"CISA",{"name":29,"type":30},"Binding Operational Directive BOD 26-04","technology","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":31,"icon":33,"name":34,"slug":35},null,"Vulnerabilities","vulnerabilities",[37,42,47],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"217d3263-c763-41ca-875e-06901f522fe0","NIST","nist",{"category":43},{"id":44,"icon":33,"name":45,"slug":46},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day",{"category":48},{"id":49,"icon":33,"name":50,"slug":51},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",[53,57],{"type":54,"value":55,"context":56},"cve","CVE-2026-48282","Remote code execution flaw in Adobe ColdFusion; actively exploited in the wild",{"type":54,"value":58,"context":59},"CVE-2026-34621","Adobe Acrobat Reader vulnerability exploited as zero-day since December 2025"]