Adobe ColdFusion CVE-2026-48282 Exploited Within Hours of PoC Release

Adobe ColdFusion CVE-2026-48282 (CVSS 10) moved from PoC release to confirmed in-the-wild exploitation in under two hours, according to KEVIntel honeypot data.
Table of Contents
    Add a header to begin generating the table of contents

    Attackers began exploiting a maximum-severity Adobe ColdFusion vulnerability within two hours of its technical proof-of-concept details becoming publicly available on July 6 — one of the shortest disclosure-to-exploitation intervals observed for a critical enterprise vulnerability this year. KEVIntel’s honeypot network captured the first in-the-wild exploitation attempts against real ColdFusion servers before most security teams had an opportunity to read the advisory.

    CVE-2026-48282: Maximum-Severity Path Traversal Enabling Unauthenticated Code Execution

    CVE-2026-48282 carries the maximum possible CVSS score of 10.0. The vulnerability is a path traversal flaw in Adobe ColdFusion 2025 (versions 2025.9 and earlier) and ColdFusion 2023 (versions 2023.20 and earlier) that enables unauthenticated attackers to read arbitrary files from the underlying server filesystem and execute code without any authentication requirement and without requiring user interaction. The score reflects the combination of zero-authentication exploitation, full code execution capability, and the broad deployment footprint of ColdFusion in enterprise environments.

    Adobe released patches on July 1 — ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10 — assigning the update its Priority 1 designation, the company’s highest urgency classification for patches that are being targeted in the wild or assessed as at higher risk of imminent targeting. That priority designation proved accurate within five days.

    How KEVIntel Honeypots Captured the First Exploitation Attempts

    KEVIntel operates a global network of honeypot servers running internet-exposed ColdFusion instances. When CVE-2026-48282’s technical details became public on July 6, KEVIntel captured the first exploitation attempt within under two hours. The attacker used the documented path traversal payload to read the file C:Windowswin.ini from the server — a standard reconnaissance step that confirms whether the path traversal succeeds on the target system and establishes a baseline for further exploitation.

    The speed of this progression from technical publication to active exploitation leaves essentially no safe window for organizations to assess and deploy the patch before attackers arrive. Security teams monitoring for new CVE advisories before deciding on urgency would have been racing against active exploitation from the moment they opened their alerts.

    Why ColdFusion Servers at Government, Financial, and Healthcare Organizations Are the Primary Risk

    ColdFusion maintains a disproportionately large deployment footprint in government agencies, financial services organizations, and healthcare systems. These sectors adopted ColdFusion for web application development during an era when the platform was widely deployed, and many organizations continue to run ColdFusion-backed applications as part of legacy infrastructure that is difficult to migrate. Internet-facing ColdFusion installations in these environments — particularly those running versions prior to the July 1 patch — are now confirmed targets of active attack.

    The combination of CVE-2026-48282’s unauthenticated access capability and ColdFusion’s typical deployment context makes successful exploitation particularly consequential. ColdFusion servers often have access to backend databases, internal APIs, and document stores that a standard web application server would not. An attacker who achieves code execution on a ColdFusion server may gain access to far more than the ColdFusion application itself.

    Adobe’s stated remediation timeframe is deployment within 72 hours of patch release — a guideline issued July 1. Given that confirmed exploitation began July 6, any organization that did not apply ColdFusion 2023 Update 21 or ColdFusion 2025 Update 10 within that window has now been operating with confirmed active exploitation occurring in the wild against unpatched ColdFusion servers during the gap.

    Emergency Patch Priority for All Unpatched ColdFusion Deployments

    Organizations running unpatched ColdFusion installations should treat this as an emergency remediation priority. The required updates are ColdFusion 2023 Update 21 and ColdFusion 2025 Update 10, both released July 1. Any ColdFusion deployment running versions 2025.9 or earlier, or 2023.20 or earlier, is vulnerable to unauthenticated file read and code execution via the documented path traversal payload.

    Organizations that did not apply the patch within Adobe’s 72-hour recommendation window should conduct a forensic review of ColdFusion server logs covering the period from July 6 onward, looking specifically for path traversal patterns in request logs and any file access attempts targeting C:Windowswin.ini or similar reconnaissance targets. The KEVIntel-documented first attack step — reading win.ini via path traversal — is a detectable indicator that can confirm whether a server was probed even before deeper exploitation occurred.

    Unpatched internet-facing ColdFusion servers should be considered at high risk of confirmed compromise and treated accordingly.

    Related Posts