Back to Feed
Zero-dayJul 7, 2026

Critical Adobe ColdFusion Vulnerability Exploited in Attacks

Adobe ColdFusion critical vulnerability CVE-2026-48282 exploited within 2 hours of patch release.

Summary

A critical path traversal vulnerability (CVE-2026-48282, CVSS 10/10) in Adobe ColdFusion was exploited by threat actors within two hours of its public disclosure on June 30, despite Adobe releasing patches for ColdFusion 2025 update 10 and ColdFusion 2023 update 21. The vulnerability allows arbitrary code execution and was one of six maximum severity flaws patched simultaneously. Security researchers confirmed active exploitation via honeypot networks and the Canadian Centre for Cyber Security warned of in-the-wild attacks, highlighting the dramatically compressed window between disclosure and weaponization.

Full text

Threat actors are exploiting a recently patched vulnerability in Adobe ColdFusion that carries a maximum severity rating. Tracked as CVE-2026-48282 (CVSS score of 10/10), the security defect is described as a path traversal that could lead to arbitrary code execution. It was patched on June 30 alongside five other max severity flaws in Adobe’s rapid application development platform that could be exploited for code execution. Adobe released ColdFusion 2025 update 10 and ColdFusion 2023 update 21 to resolve these flaws, noting that it was not aware of any exploits in the wild targeting them. However, the tech giant did assign a priority rating of 1 to the security update, urging users to apply the patches as soon as possible, given the high risk that attackers could start targeting the flaws. However, according to the vulnerability intelligence platform KEVIntel, hackers began exploiting CVE-2026-48282 within two hours of its public disclosure.Advertisement. Scroll to continue reading. “KEVIntel captured in-the-wild exploitation within our global honeypot network,” KEVIntel founder Ryan Dewhurst said. Shortly after, the Canadian Centre for Cyber Security also warned that the CVE has been exploited in attacks, based on open source reporting. Adobe has yet to update its advisory to mention the vulnerability’s in-the-wild exploitation. SecurityWeek has emailed the company for a statement and will update this article if it responds. “Adobe moved quickly to release a patch, but we’re seeing how dramatically the decision window has compressed. According to reports, attackers began exploiting the vulnerability within two hours of public disclosure, well before many organizations could realistically validate, prioritize, test, and deploy patches across production environments,” Tuskira co-founder and CEO Piyush Sharma commented. “The challenge is determining which systems are reachable, which vulnerabilities create attack paths, and what compensating controls can reduce exposure while remediation is underway. As the window between disclosure and exploitation continues to shrink, organizations will increasingly compete on the speed and quality of their security decisions,” Sharma added. Related: Linux Kernel Vulnerability Allows VM Escape on Intel and AMD Systems Related: Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access Vulnerability Related: Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution Related: New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire North Korean Hackers Target Open Source Developers in Supply Chain Attacks Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access VulnerabilityPrompt Injection Attacks Trick AI Agents Into Making Crypto PaymentsAgentic AI Used to Conduct Ransomware Attack via LangflowMedtronic Data Breach Impacts 3.8 Million PeopleAlleged Scattered Spider Hacker Extradited to USGoogle, FBI Disrupt NetNut Residential Proxy Network Powered by Millions of DevicesCritical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution Latest News CISA Reportedly Using Anthropic’s Mythos to Scan Government Software for FlawsIran-Linked Hackers Using Modular C&C Framework in CyberattacksCISO Conversations: Tarah Wheeler, Cybersecurity Leader, Thought Leader and Original ThinkerLinux Kernel Vulnerability Allows VM Escape on Intel and AMD SystemsKeyfactor Scores $1 Billion+ Investment for AI, Post-Quantum SecurityBlogspot-Hosted Payloads Delivered in ‘Veil#Drop’ AttacksThe Shift Toward Business-Aligned Risk ManagementArmored Likho APT Targeting Government, Electric Power Entities Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveJames Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.Rafal Los has joined Binary Defense as Chief Strategy Officer.Tracey Mustacchio has joined Everfox as Chief Marketing Officer.More People On The MoveExpert Insights The Shift Toward Business-Aligned Risk Management Moving from isolated, technical data to a continuous risk lifecycle can help organizations align security controls with actual business consequences. (Steve Durbin) How to Conduct a Successful Audit of AI-Driven Software Development As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. (Matias Madou) Frontier AI: Six Questions Every Enterprise Should Ask Security Vendors From model selection and automation to validation and measurable results, the right questions can help enterprises separate genuine AI capabilities from marketing hype. (Joshua Goldfarb) The AI Token Costs That Can Break Cybersecurity As cybersecurity platforms embrace agentic AI, organizations must balance detection performance against the escalating costs of token consumption, deployment architecture, and AI credits. (Danelle Au) When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

  • cve — CVE-2026-48282

Entities

Adobe (vendor)Adobe ColdFusion (product)ColdFusion 2025 (product)ColdFusion 2023 (product)Path traversal (technology)