Overview
- Adobe released emergency patches for ColdFusion on June 30 in bulletin APSB26-68 and urged administrators to install updates as soon as possible.
- Researchers at KEVIntel captured exploitation attempts within under two hours of the public disclosure and traced activity to an Indian IP address, with additional probes observed on July 2–3.
- Adobe initially said it was not aware of in‑the‑wild exploits at disclosure but the Canadian Centre for Cyber Security and multiple security firms report active targeting of CVE-2026-48282.
- CVE-2026-48282 is a maximum‑severity path traversal flaw that can let unauthenticated attackers upload and run files to achieve remote code execution, and it affects ColdFusion 2025.9, 2023.20 and earlier.
- Defenders are advised to apply Adobe’s updates immediately, disable ColdFusion’s RDS feature if not needed, and hunt for unauthorized files in web roots and the /CFIDE/ directories on any internet‑facing servers.