ProBackend
active vulnerability exploitation
58 minutes ago6 min read

Zero-Day ColdFusion Flaw Hit by Attackers Hours After Adobe Disclosure

Attackers are exploiting a CVSS 10.0 path-traversal vulnerability in Adobe ColdFusion (CVE-2026-48282) within hours of patch release, prompting CISA to add it to its KEV catalog and issue a federal mandate under BOD 26-04.

If you are running Adobe ColdFusion in your enterprise environment, patch it today. Don't wait for the weekend. Threat actors are already exploiting a maximum-severity path-traversal vulnerability, tracked as CVE-2026-48282. It carries a CVSS score of 10.0. The speed of the attack was frightening. Within less than two hours of Adobe releasing the security bulletin on a Tuesday, researchers detected malicious scans hitting corporate endpoints. The window for defensive action is no longer days or weeks. It is now a matter of minutes.

Vulnerability intelligence firm KEVIntel captured in-the-wild exploitation attempts inside its honeypot network almost immediately after details became public. Ryan Dewhurst, founder of KEVIntel, confirmed that the firm registered exploitation traffic targeting this specific flaw within under two hours. Let that sink in. There's a 120-minute gap between a vendor releasing a security patch and active exploitation starting in the wild. That means threat actors are either reverse-engineering patches in real time or had pre-existing knowledge of the flaw.

The situation is serious enough that the Canadian Center for Cyber Security (CCCS) stepped in with a public warning on Thursday. The federal agency advised administrators to execute immediate remediation plans, citing credible open-source intelligence that active exploitation was underway. If a national cyber agency is issuing alerts within 48 hours of a patch drop, it is because their telemetry shows systems are already falling.

CISA Adds CVE-2026-48282 to KEV, Orders Federal Patching by Friday

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) formally added CVE-2026-48282 to its Known Exploited Vulnerabilities (KEV) catalog — the official list of flaws confirmed as actively exploited in the wild. With that designation came a Binding Operational Directive (BOD 26-04) ordering all U.S. Federal Civilian Executive Branch (FCEB) agencies to patch their ColdFusion systems by Friday, June 10.

BOD 26-04, published last month, requires federal agencies to prioritize patching based on four criteria: whether the flaw appears in CISA's KEV catalog, whether its exploitation can be automated for large-scale attacks, whether vulnerable assets are exposed online, and whether successful exploitation grants attackers partial or total control of the targeted device. CVE-2026-48282 ticks every box — it's on KEV, fully automatable with no user interaction required, exposed across roughly 800 internet-facing instances per Shadowserver, and grants complete code execution.

This is not a suggestion. BOD 26-04 carries the force of executive directive, and federal IT teams have a hard deadline. The CISA action signals that the vulnerability has crossed from "high risk" into "confirmed active exploitation" territory — and for federal agencies, the clock is now ticking down to Friday.

Inside CVE-2026-48282: The Critical Anatomy of the Flaw

The vulnerability is cataloged as CVE-2026-48282. Under the hood, this is a classic path traversal exploit, classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). What makes it particularly lethal is its CVSS v3.1 profile. A perfect 10.0 base score. The exploit vector is network-based, the complexity is low, and it requires absolutely no user interaction or administrative privileges. Unauthenticated remote attackers can issue a request to bypass access controls, traverse directories, and execute arbitrary code.

It is the dream setup for an entry-point exploit. The target server willingly runs instructions provided by the attacker, executing commands in the context of the running ColdFusion process. If you have configured ColdFusion to run with local administrator or system-level privileges on Windows servers, the attacker effectively gains full control of the host machine.

Let's talk numbers. The flaw exists in all major enterprise branches of the platform. Here are the affected builds:

  • Adobe ColdFusion 2025.9 and all earlier updates (specifically, 2025 updates 1 through 9)
  • Adobe ColdFusion 2023.20 and all earlier updates (specifically, 2023 updates 1 through 20)

The Attack Surface: Exposed Portals and Federal Warnings

How big is the target area? According to internet monitoring watchdog Shadowserver Foundation, there are roughly 800 Adobe ColdFusion instances exposed to the public internet worldwide. We cannot know for sure how many of these machines are honeypots, how many have been updated, and how many are live, unpatched servers representing prime corporate targets.

But even a small percentage of 800 unpatched enterprise servers is a feast for malicious actors. ColdFusion is historically used to build internal portals, database interfaces, and administrative dashboards. Securing these installations behind virtual private networks or strict firewall rules should be standard practice. Yet, they remain exposed.

The Canadian Center for Cyber Security (CCCS) emphasized the danger of leaving these setups open. Their advisory on Thursday aimed to push IT departments past their usual patch-management cycles. They pointed out that public exploit scripts and proof-of-concept tests circulate rapidly after disclosure. When threat actors automate these scans, they scan the entire IPv4 space. They find your exposed portal within minutes. If your system is exposed, you cannot rely on obscurity. The scanners will find you.

A History of Exposure: Adobe's Enterprise Security Dilemma

This isn't an isolated headache. In fact, this new zero-day hits right after Adobe addressed seven critical vulnerabilities in ColdFusion and Campaign Classic only a week prior. While those specific vulnerabilities did not show signs of active exploitation at the time, this new CVE-2026-48282 campaign shows that the platform remains a constant target. Attackers know that if they can compromise a ColdFusion server, they get a foot inside a corporate network.

Adobe products have a long history of being targeted by sophisticated actors. Since November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 80 vulnerabilities in Adobe software to its Known Exploited Vulnerabilities (KEV) catalog. Out of those 80, at least 10 have been directly tied to ransomware campaigns where threat groups abused the initial systems access to deploy file-encrypting payloads across enterprise domains.

The pattern matches what we saw in early April, when Adobe rushed out emergency patches for an Acrobat Reader flaw, tracked as CVE-2026-34621. That vulnerability was exploited as a zero-day for at least four months before anyone caught on, dating back to December 2025. With CVE-2026-48282, attackers didn't wait four months. They waited two hours. The window to patch has shrunk to almost nothing because exploit developers are faster and more organized than ever.

Remediation Action Plan: Securing Vulnerable ColdFusion Servers

Security teams need to act immediately. The fix is documented in Adobe's APSB26-68 security bulletin. Adobe's official advisory suggested administrators deploy the update within a 72-hour window due to the targeted nature of the threat. Now that we know exploitation took place in under two hours and CISA has issued a federal mandate, that 72-hour window is already gone.

If you are running ColdFusion 2025 or 2023, follow these steps to secure your environment:

  1. Verify your build number. Ensure you are not running ColdFusion 2025.9 or ColdFusion 2023.20. Upgrade to the latest versions released under the APSB26-68 bulletin.
  2. Review your logs for path traversal attempts. Scan for incoming requests containing directory traversal sequences (such as ../ or ..\\) targeting your ColdFusion endpoints.
  3. Restrict endpoint visibility. If your ColdFusion administration page or backend portal doesn't need to be accessible from the public internet, block access immediately. Implement firewall rules to permit only designated corporate IP addresses.
  4. Implement least-privilege service configurations. Ensure that the ColdFusion service account does not run under root, local administrator, or local system privileges. If the service gets compromised, least-privilege configuration prevents the attacker from gaining immediate control of the host operating system.

Don't treat this as another routine update. The speed of the attacks, CISA's KEV designation, and the BOD 26-04 federal mandate all prove that threat actors are monitoring these releases closely. Apply the patch, restrict external access, and audit your access logs today.

More blogs