Attackers exploit critical Adobe ColdFusion vulnerability (CVE-2026-48282)
CVE-2026-48282, one of the maximum severity vulnerabilities patched in Adobe ColdFusion on June 30, 2026, has been targeted by attackers in the wild.

Exploitation attempts were detected on July 2, through the honeypot sensors of cybersecurity threat-intelligence service KEVIntel, mere minutes after watchTowr researchers published a technical analysis of this and other ColdFusion flaws recently fixed by Adobe.
What makes CVE-2026-48282 dangerous
Adobe ColdFusion is a widely used development platform for building and deploying enterprise-grade websites and web applications. It’s usually run on Windows or Linux servers.
Seven days ago, Adobe disclosed that it had released patches for CVE-2026-48282 and nine other critical vulnerabilities affecting ColdFusion.
CVE-2026-48282’s description, CVSS score and vector indicate that this path traversal vulnerability may allow remote, unauthenticated attackers to achieve arbitrary code execution by sending a specially crafted HTTP request to upload a malicious file to a web-accessible location.
“The attacker accesses the uploaded file directly via the web server, triggering execution of arbitrary code in the context of the current user, and can then escalate to further compromise the host,” the Centre for Cybersecurity Belgium noted.
WatchTowr’s write-up explained that the vulnerability is found in ColdFusion’s Remote Development Services (RDS) feature “that allows a developer’s IDE, historically ColdFusion Builder, Dreamweaver, or the Eclipse plugin, to interact with a running ColdFusion server.”
According to them, the IDE “can browse the filesystem, execute database queries, and assist with debugging, all over HTTP.”
Resecurity researchers said they are also tracking the exploitation of this vulnerability, and they have released additional details that can help both defenders and attackers.
Exploitation conditions and recommended fixes
Vulnerabilities in Adobe ColdFusion are regularly exploited by attackers.
To successfully leverage CVE-2026-48282, attackers must target ColdFusion servers on which RDS is enabled (and it’s not, by default), and authentication for it is disabled.
The Shadowserver Foundation is currently tracking around 750 internet-facing ColdFusion servers, but it’s unknown how many of these still run a vulnerable ColdFusion version or whether they have RDS enabled.
Admins are advised to upgrade to ColdFusion 2025 update 10 or ColdFusion 2023 Update 21, and if their servers are or were internet-facing in the last week, to hunt for indicators of compromise such as unauthorized files within ColdFusion’s web root and /CFIDE/ directories.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
