Attackers Exploit Critical Adobe ColdFusion Flaw
A patched ColdFusion path traversal flaw, CVE-2026-48282 (CVSS 10.0), is being exploited in the wild; KEVIntel detected attacks within two hours and Canada’s cyber centre warned.
Threat actors are exploiting a recently patched path traversal vulnerability in Adobe ColdFusion tracked as CVE-2026-48282. The flaw carries a CVSS score of 10.0 and can enable arbitrary code execution on affected systems. Adobe issued fixes on June 30 in ColdFusion 2025 update 10 and ColdFusion 2023 update 21 and assigned the update a priority rating of 1.
KEVIntel reported that attacks against the flaw began within roughly two hours of public disclosure. The vulnerability intelligence firm added that its global honeypot network “captured in-the-wild exploitation within our global honeypot network.” The Canadian Centre for Cyber Security also warned that open-source reporting indicates the vulnerability has been exploited in attacks.
Adobe’s initial advisory noted the security updates but did not report active exploitation at the time the patches were released. The vendor has not updated the advisory to explicitly state confirmed in-the-wild exploitation since the warning from Canadian authorities and the KEVIntel report.
CVE-2026-48282 is described as a path traversal issue that can be used as an attack vector to run arbitrary code on affected ColdFusion installations. Path traversal flaws let an attacker manipulate file paths on a server to access files or feed data into processes that can be abused to execute code. ColdFusion is a rapid application development platform commonly used to host web applications and production servers.
Piyush Sharma, co-founder and CEO of security firm Tuskira, commented on the speed of exploitation: “Adobe moved quickly to release a patch, but we’re seeing how dramatically the decision window has compressed. Attackers began exploiting the vulnerability within two hours of public disclosure, well before many organizations could realistically validate, prioritize, test, and deploy patches across production environments.” He added that organizations face challenges in identifying reachable systems, mapping attack paths, and using compensating controls while applying fixes.
Adobe urged administrators to apply the June 30 updates as soon as possible. Administrators responsible for ColdFusion instances should review the advisories, confirm whether affected versions are in use, and install the provided patches. Security teams should monitor logs and external reporting for indicators of exploitation and follow vendor guidance as they validate and deploy updates.




