As of July 7, 2026, attackers are actively exploiting a maximum-severity Adobe ColdFusion flaw that Adobe patched days earlier. The vulnerability, tracked as CVE-2026-48282, carries a CVSS score of 10.0.
Quick Summary – TLDR:
- Adobe patched CVE-2026-48282 on June 30, assigning it a priority rating of 1 given its high risk of exploitation.
- KEVIntel founder Ryan Dewhurst reported in-the-wild exploitation captured within under two hours of the flaw’s public details being released.
- The bug lives in ColdFusion’s Remote Development Services (RDS) feature, which lets a developer’s IDE interact with a running ColdFusion server over HTTP, per Resecurity and watchTowr Labs.
- Exploitation requires RDS to be enabled, which it is not by default, and RDS authentication to be disabled, according to Resecurity, a real constraint on how many servers are actually at risk.
- The Shadowserver Foundation is tracking around 750 internet-facing ColdFusion servers, though it is unclear how many run a vulnerable version.
What Happened?
CVE-2026-48282 is a path traversal vulnerability that may allow remote, unauthenticated attackers to achieve arbitrary code execution by sending a specially crafted HTTP request to upload a malicious file to a web-accessible location. That attack vector mirrors the pattern behind API breaches, where a crafted HTTP request against exposed enterprise infrastructure is the common entry point.
Adobe patched it as part of a broader ColdFusion security update that resolved several other maximum-severity flaws in the platform. At the time, Adobe said it was not aware of any exploits in the wild for any of the issues addressed in the update, but still flagged the release as high priority.
That changed fast. KEVIntel’s honeypot network detected in-the-wild exploitation of CVE-2026-48282 within under two hours of the CVE’s public details going live, according to KEVIntel founder Ryan Dewhurst. Within under two hours of CVE-2026-48282 public details being released, KEVIntel captured in-the-wild exploitation within our global honeypot network.
Separately, watchTowr Labs published a technical write-up on the flaw, and exploitation attempts surfaced mere minutes after that analysis went out.
Adobe’s security bulletin recommended patching within a specific window. Adobe recommends administrators install the update as soon as possible (for example, within 72 hours), the bulletin states, guidance that assumed a much longer runway than attackers actually gave defenders.
🚨Within under two hours of CVE-2026-48282 public details being released, KEVIntel captured in-the-wild exploitation within our global honeypot network.
— Ryan Dewhurst (@ethicalhack3r) July 2, 2026
Unauthenticated Arbitrary File Write & Read in Adobe ColdFusion
Attacker location: India
Attacker IP: 103.207.14[.]220
If… pic.twitter.com/fok7ZQ56Gy
The Technical Mechanism
The flaw sits in ColdFusion’s Remote Development Services feature, a tool built for developer convenience rather than public exposure. RDS is designed to let a developer’s IDE, historically ColdFusion Builder, Dreamweaver, or the Eclipse plugin, interact with a running ColdFusion server, browsing the filesystem and executing database queries over HTTP. That same interface becomes the attack surface once path traversal lets an outsider reach it.
The Centre for Cybersecurity Belgium laid out the attack chain: The attacker accesses the uploaded file directly via the web server, triggering execution of arbitrary code in the context of the current user, and can then escalate to further compromise the host, the CCB said. That escalation path helps explain why the flaw carries a CVSS 10.0 maximum-severity rating despite starting as a simple file upload.
Crucially, the attack only works under specific conditions. Resecurity’s technical analysis found that attackers must target ColdFusion servers on which RDS is enabled, which it is not by default, and on which RDS authentication is disabled.
That precondition means the raw count of around 750 internet-facing ColdFusion servers overstates the truly vulnerable population. RDS-enabled-and-unauthenticated is a specific, checkable configuration that admins can audit directly.
Government defenders moved quickly once exploitation surfaced. The Canadian Centre for Cyber Security’s advisory AV26-647 urged organizations to act. Open-source reporting indicates that CVE-2026-48282 is being exploited, the CCCS said.
Resecurity researchers separately confirmed they are tracking exploitation of the vulnerability and have released additional technical details for defenders.
Notably, Adobe’s own advisory has not caught up. As of this reporting, the vendor’s bulletin still frames the CVE-2026-48282 update as preventive rather than acknowledging confirmed in-the-wild attacks, a gap between what independent trackers (KEVIntel, the CCCS, Resecurity, and watchTowr) are reporting and what Adobe’s public-facing guidance says.
Why the Timeline Matters?
Adobe moved quickly to release a patch, but we’re seeing how dramatically the decision window has compressed. According to reports, attackers began exploiting the vulnerability within two hours of public disclosure, well before many organizations could realistically validate, prioritize, test, and deploy patches across production environments, Sharma said.
That compression is the real story here. A 72-hour patch recommendation, reasonable by historical standards, ran into a two-hour exploitation timeline. ColdFusion has a track record of drawing fast attacker attention once a flaw goes public, this is not an isolated pattern for the platform, and it helps explain why threat-intelligence firms treat any new ColdFusion CVE as a priority-1 hunt the moment details drop, regardless of what the vendor’s advisory says about known exploitation.
What’s Next?
Admins running ColdFusion should upgrade to ColdFusion 2025 update 10 or ColdFusion 2023 Update 21 without waiting for a longer validation cycle, given how quickly this flaw moved from disclosure to exploitation. Beyond patching, teams whose servers were internet-facing in the past week should hunt for indicators of compromise, including unauthorized files in ColdFusion’s web root and /CFIDE/ directories.
Auditing whether RDS is enabled, and disabling it entirely when it isn’t in active use, closes the specific precondition this attack depends on, independent of the patch timeline.
Expect Adobe to eventually update its advisory to acknowledge in-the-wild exploitation, and expect additional defender guidance from national CERTs as exposure numbers get refined.
SQ Magazine’s Takeaway
This incident exposes how little runway “install within 72 hours” actually gives defenders when attackers move in under two hours. Adobe followed the standard disclosure playbook, complete with a priority rating meant to signal urgency, and the exploitation timeline outran it anyway.
CVE-2026-48282 only bites when RDS is both enabled and unauthenticated, a non-default configuration. That mitigating factor helps reduce the actual blast radius, but it does not eliminate risk on servers where RDS was turned on for developer convenience and never locked down.
Enterprises running ColdFusion should treat “no known exploitation” in a vendor advisory as a time-stamped snapshot that can go stale within hours, not a durable assurance. Disabling unused developer-facing services like RDS is a cheaper, faster risk-reduction step than waiting on the next patch cycle.
Adobe’s advisory lag on acknowledging active exploitation also underscores why independent trackers like KEVIntel and national CERTs remain necessary: vendor communication does not always keep pace with attacker behavior, and admins who rely solely on the vendor bulletin for exploitation status may be working from stale information.