Skip to main content
Cybersecurity News Kinetic Potential

Critical Adobe ColdFusion Vulnerability Exploited in Attacks

Threat actors are exploiting a recently patched vulnerability in Adobe ColdFusion that carries a maximum severity rating.

Tracked as CVE-2026-48282 (CVSS score of 10/10), the security defect is described as a path traversal that could lead to arbitrary code execution.

It was patched on June 30 alongside five other max severity flaws in Adobe’s rapid application development platform that could be exploited for code execution.

Adobe released ColdFusion 2025 update 10 and ColdFusion 2023 update 21 to resolve these flaws, noting that it was not aware of any exploits in the wild targeting them.

However, the tech giant did assign a priority rating of 1 to the security update, urging users to apply the patches as soon as possible, given the high risk that attackers could start targeting the flaws.

However, according to the vulnerability intelligence platform KEVIntel, hackers began exploiting CVE-2026-48282 within two hours of its public disclosure. “KEVIntel captured in-the-wild exploitation within our global honeypot network,” KEVIntel founder Ryan Dewhurst said.

Shortly after, the Canadian Centre for Cyber Security also warned that the CVE has been exploited in attacks, based on open source reporting.

Adobe has yet to update its advisory to mention the vulnerability’s in-the-wild exploitation. SecurityWeek has emailed the company for a statement and will update this article if it responds.

“Adobe moved quickly to release a patch, but we’re seeing how dramatically the decision window has compressed. According to reports, attackers began exploiting the vulnerability within two hours of public disclosure, well before many organizations could realistically validate, prioritize, test, and deploy patches across production environments,” Tuskira co-founder and CEO Piyush Sharma commented.

“The challenge is determining which systems are reachable, which vulnerabilities create attack paths, and what compensating controls can reduce exposure while remediation is underway. As the window between disclosure and exploitation continues to shrink, organizations will increasingly compete on the speed and quality of their security decisions,” Sharma added.

This article was published by Security Week. Please check their website for the original content.

Add new comment

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
12 + 8 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.