Technology

Max severity Adobe ColdFusion flaw now exploited in attacks

Bleeping Computer July 06, 2026 2 views
Max severity Adobe ColdFusion flaw now exploited in attacks

Advertisement

Attackers are now exploiting a maximum-severity Adobe ColdFusion vulnerability tracked as CVE-2026-48282, the Canadian Center for Cyber Security (CCCS) warned on Thursday.
ColdFusion is a commercial web app development platform designed to help build and deploy enterprise-grade websites. The CVE-2026-48282 security flaw affects ColdFusion versions 2025.9, 2023.20, and earlier, and can be exploited by attackers without privileges to gain remote code execution on unpatched systems.
"This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform," Adobe noted. "Adobe recommends administrators install the update as soon as possible (for example, within 72 hours)."
Two days later, CCCS, the Government of Canada authority that coordinates the country's national response to any cybersecurity incidents, warned that threat actors have already begun exploiting CVE-2026-48282 and prompted defenders to secure their systems against ongoing attacks.
"Open-source reporting indicates that CVE-2026-48282 is being exploited," the CCCS said. "The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates."
Internet security watchdog Shadowserver tracks nearly 800 Adobe ColdFusion instances exposed online, but there is no information on how many are honeypots or have been secured against attacks targeting the CVE-2026-48282 flaw.
Adobe ColdFusion instances exposed online (Adobe)
Last week, Adobe released patches for six maximum-severity flaws in the ColdFusion web app development and Campaign Classic marketing automation platforms, all of which are exploitable via low-complexity attacks that don't require user interaction and are tagged as high risk of being targeted.
The company has yet to flag any of them as actively exploited, saying that it "is not aware of any exploits in the wild for any of the issues addressed in these updates."
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now

<small>Source: Bleeping Computer</small>

How did this make you feel?

Advertisement

Category
Technology

Advertisement