Particle.news

Attackers Exploit Critical Adobe ColdFusion Flaw

Unauthenticated remote code execution on unpatched servers leaves roughly 775 to 800 internet‑exposed ColdFusion instances at risk.

Overview

  • Adobe released emergency patches for ColdFusion on June 30 in bulletin APSB26-68 and urged administrators to install updates as soon as possible.
  • Researchers at KEVIntel captured exploitation attempts within under two hours of the public disclosure and traced activity to an Indian IP address, with additional probes observed on July 2–3.
  • Adobe initially said it was not aware of in‑the‑wild exploits at disclosure but the Canadian Centre for Cyber Security and multiple security firms report active targeting of CVE-2026-48282.
  • CVE-2026-48282 is a maximum‑severity path traversal flaw that can let unauthenticated attackers upload and run files to achieve remote code execution, and it affects ColdFusion 2025.9, 2023.20 and earlier.
  • Defenders are advised to apply Adobe’s updates immediately, disable ColdFusion’s RDS feature if not needed, and hunt for unauthorized files in web roots and the /CFIDE/ directories on any internet‑facing servers.