EXPLOITED VULNERABILITY · CVE-2026-48282

Max-Severity Adobe ColdFusion RCE (CVE-2026-48282) Is Now Under Active Attack

A maximum-severity remote code execution flaw in Adobe ColdFusion, CVE-2026-48282, is being exploited in the wild just days after patches shipped. The bug needs no authentication and no user interaction, and Adobe is telling admins to patch within 72 hours. Roughly 800 ColdFusion instances sit exposed online.

Matt Lucas  |  July 6, 2026  |  5 min
Max-Severity Adobe ColdFusion RCE (CVE-2026-48282) Is Now Under Active Attack — editorial hero illustration
Max-severity RCE
~800
Exposed instances online
72 hrs
Adobe patch window
2 days
Patch to exploitation
Detected by Caver · default coverage
MITRE ATT&CK: Server Software Component: Web Shell (T1505.003)
Running Caver? This is caught out of the box by a default detection rule (cavern.edr_common.web_shell_artifact). You're welcome.
Not a customer? This ships live in Caver today, delivered through its app store. See Caver →
TL;DR
  • What: Adobe ColdFusion's maximum-severity flaw CVE-2026-48282 is being actively exploited for unauthenticated remote code execution just days after the July 1, 2026 patch shipped.
  • Impact: Attackers can run code on unpatched, internet-facing ColdFusion servers with no credentials and no user interaction, giving them a foothold for data theft and lateral movement.
  • Fix / mitigation: Apply Adobe's July 1, 2026 updates immediately, upgrading past ColdFusion 2025.9 and 2023.20; Adobe recommends deployment within 72 hours.
  • Who's at risk: Any organization running an internet-exposed ColdFusion 2025, 2023, or earlier server, with roughly 800 instances currently visible online.

Adobe ColdFusion is back in the crosshairs. CVE-2026-48282, a maximum-severity remote code execution flaw, is now being exploited in real attacks less than a week after Adobe shipped a fix. The bug requires no authentication, no privileges, and no user interaction, which puts it in the worst tier of exposure for any internet-facing server.

Adobe released the patch on July 1, 2026. By July 3, Canada's Cyber Centre (CCCS) was warning of active exploitation in the wild, citing open-source reporting of attacks. That is a two-day gap between fix and abuse, and it tells you everything about the operational tempo defenders are now working against.

What the flaw does

CVE-2026-48282 is an unauthenticated remote code execution vulnerability. Adobe describes the attack as low-complexity, meaning an attacker needs no special conditions to line up. Send the right request to a vulnerable ColdFusion instance and you get code execution on the underlying host. From there the usual playbook applies: drop a web shell, harvest credentials, pivot into the internal network.

ColdFusion has a long history as a soft target. It frequently runs on externally reachable application servers, often sits behind aging deployments that lag on patches, and has repeatedly been dragged into Adobe's Known Exploited Vulnerabilities cycle. A max-severity, unauthenticated RCE on this platform is close to a worst case.

Affected and patched versions

Patch inside 72 hours

Adobe is not using its normal priority language here. It recommends deploying the update within 72 hours, a timeline reserved for flaws under active attack or at high risk of it. Treat this as an emergency change, not a routine patch cycle.

How exposed is your fleet

Shadowserver is tracking roughly 800 ColdFusion instances reachable over the internet. Not all of them are necessarily vulnerable or unprotected, but that number is the addressable attack surface a scanning adversary sees. Given the two-day turnaround from patch to exploitation, assume any exposed and unpatched instance is already being probed.

The 800-instance figure also understates the real risk. Plenty of ColdFusion runs on internal networks or behind reverse proxies that Shadowserver cannot see, and those become reachable the moment an attacker gets an initial foothold elsewhere. The public count is the front door, not the whole building.

What to do now

Assume breach on exposed hosts

Because exploitation began within 48 hours of the patch, patching alone is not enough for any instance that was internet-facing during that window. Pair the update with active threat hunting and, where warranted, incident response, before you call it closed.

Bottom line

CVE-2026-48282 checks every box that turns a vulnerability into a mass-exploitation event: maximum severity, unauthenticated, low complexity, a widely deployed target, and confirmed attacks days after disclosure. Adobe's 72-hour guidance is the tell. Get the July 1 update onto every ColdFusion server you own, verify it, and go looking for anyone who beat you to it.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us