Attackers now exploiting a critical ColdFusion flaw Adobe patched last week
One of the critical ColdFusion vulnerabilities Adobe patched last week is now being exploited in the wild. The flaw, CVE-2026-48282, is a path-traversal issue rated 10.0 that lets an attacker run arbitrary code on a ColdFusion server, and it was among seven top-severity bugs Adobe fixed in ColdFusion 2025 and 2023. Adobe had flagged the update as high priority given ColdFusion's history as an attacker and ransomware target, and exploitation has followed quickly. Organizations that had not yet applied the update are now in an active-threat window, especially any ColdFusion servers reachable from the internet, which are the most exposed to opportunistic attacks.
- Check
- Confirm whether your ColdFusion 2025 and 2023 servers have last week's update applied, prioritize any that are internet-facing, and review logs and the filesystem for signs of exploitation or web shells.
- Affected
- ColdFusion 2025 and 2023 servers still missing last week's update (CVE-2026-48282); an attacker can use the path-traversal flaw to run code on the server, and exploitation is now underway.
- Fix
- Apply ColdFusion 2025 Update 10 and 2023 Update 21 immediately, restrict ColdFusion from direct internet exposure, and run a compromise assessment on any server that was unpatched while exploitation was occurring.