Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jul 08, 2026 · 6 min read

CVE-2026-48282: ColdFusion RCE Exploited in 2 Hours

Adobe patched CVE-2026-48282 on June 30, 2026. Researchers watching a global honeypot network caught the first exploitation attempt two hours later, and Shadowserver still counts roughly 800 ColdFusion servers reachable from the open internet.

Two hours. That is how long it took attackers to weaponize a maximum severity Adobe ColdFusion vulnerability after Adobe told the world it existed. KEVIntel founder Ryan Dewhurst spotted the first probe against his honeypot network almost immediately after disclosure, and the Canadian Centre for Cyber Security confirmed active exploitation within a day, according to BleepingComputer.

CVE-2026-48282 was not the only bug in this patch cycle. Adobe fixed six other maximum severity flaws across ColdFusion and Campaign Classic the same day, but this one is the one attackers reached for first. Anyone still running an internet facing ColdFusion server got a very narrow window to react, and most of them missed it.

Key Takeaways

  • CVE-2026-48282 is a CVSS 10.0 path traversal vulnerability in Adobe ColdFusion's Remote Development Services FILEIO handler that can escalate to unauthenticated remote code execution.
  • Adobe patched the flaw on June 30, 2026 in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10, and it affects ColdFusion 2025.9, 2023.20, and earlier releases.
  • KEVIntel's Ryan Dewhurst recorded the first exploitation attempt against a global honeypot network within two hours of Adobe's public disclosure.
  • CISA added CVE-2026-48282 to its Known Exploited Vulnerabilities catalog and gave federal civilian agencies until July 10, 2026 to patch.
  • Shadowserver counts roughly 800 ColdFusion instances still reachable from the public internet, and Adobe itself recommends installing the update within 72 hours.
Data center aisle with server racks and amber warning lights while an IT engineer works urgently at a terminal, representing the rush to patch the Adobe ColdFusion flaw

What Is CVE-2026-48282?

CVE-2026-48282 is a path traversal vulnerability in the Remote Development Services FILEIO handler that ships with Adobe ColdFusion, and it carries the maximum possible CVSS score of 10.0. The FILEIO handler takes a file path supplied by an RPC request and hands it straight to the underlying file system without canonicalizing it or checking whether it stays inside the intended RDS working directory, according to a technical writeup from Resecurity.

Feed that handler a crafted path with directory traversal sequences and it will read or write files well outside where it should. Chained with ColdFusion's own execution behavior, that turns into arbitrary code execution on the server. The bug affects ColdFusion 2025.9, 2023.20, and earlier, and Adobe closed it in ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10.

RDS is not enabled by default, and exploitation also requires RDS authentication to be turned off, a configuration mistake that turns out to be common enough on production servers to make this a real problem rather than a theoretical one.

How Fast Did Exploitation Start?

Exploitation started within two hours of Adobe's public disclosure on June 30, 2026. Dewhurst's honeypot network picked up a single attempt from an IP address geolocated to India almost as soon as the advisory went live, a turnaround that leaves essentially no gap between a patch existing and attackers having a working exploit.

A two hour window from disclosure to attack means reverse engineering the patch, building a working proof of concept, and scanning for targets all happened faster than most security teams can even open a change ticket. The Canadian Centre for Cyber Security backed up the honeypot data with its own confirmation that the vulnerability is being actively exploited, urging immediate patching.

Who Needs to Patch, and by When?

Every organization running ColdFusion 2025.9, 2023.20, or earlier needs to patch now, not after the next maintenance window. CISA added CVE-2026-48282 to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to remediate by July 10, 2026, just days after the initial disclosure.

Adobe's own guidance says to install the update "as soon as possible (for example, within 72 hours)," language the company rarely uses outside its most serious advisories. Shadowserver's scans currently show around 800 ColdFusion instances exposed to the internet, though that count does not separate honeypots from genuinely vulnerable production servers. Private companies do not answer to CISA's federal deadline, but treating July 10 as a hard floor rather than a government only requirement is the sane read of the situation.

Why Does ColdFusion Keep Landing on the KEV List?

ColdFusion keeps landing on CISA's KEV list because it has a long track record as a target, not because this is an isolated incident. CISA has catalogued 79 actively exploited Adobe product vulnerabilities since November 2021, and Adobe fixed six additional maximum severity flaws across ColdFusion and Campaign Classic in the same release that included CVE-2026-48282, per The Hacker News.

This is also the third enterprise platform in three weeks to earn a KEV listing with a same day or near immediate exploitation window, following SharePoint's CVE-2026-45659 and Citrix NetScaler's CitrixBleed Echo flaw. Older bugs stay dangerous too, as the two year old Oracle WebLogic vulnerability CISA added to its KEV catalog in June showed. Attackers are not slowing down on legacy enterprise software, they are getting faster at every stage: finding the bug, building the exploit, and finding the exposed server.

What to Do Right Now

If your organization runs Adobe ColdFusion, update to ColdFusion 2023 Update 21 or ColdFusion 2025 Update 10 immediately rather than waiting for a scheduled patch cycle. Check whether Remote Development Services is enabled on your servers and, if you are not actively using it for development, disable it outright; if you must keep it running, confirm RDS authentication is turned on rather than left open. Review server logs for unusual file system activity or requests containing directory traversal sequences aimed at the RDS FILEIO handler, since that is the specific behavior tied to this exploit chain. Pull your ColdFusion servers off the public internet where possible, or at minimum restrict access to trusted IP ranges, and cross check your exposed assets against the CISA KEV catalog regularly rather than only when a headline forces the question. Given how quickly this one went from advisory to active attack, the safest assumption for any unpatched server is that someone has already tried it.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.