Adobe ColdFusion Flaw Patched in June Is Now Being Actively Exploited
Attackers are actively exploiting a critical Adobe ColdFusion vulnerability that was patched in late June, according to threat researchers and Canadian government warnings. The issue, tracked as CVE-2...
Attackers are actively exploiting a critical Adobe ColdFusion vulnerability that was patched in late June, according to threat researchers and Canadian government warnings. The issue, tracked as CVE-2026-48282, carries a CVSS score of 10.0 and is described as a path traversal flaw that could be used to achieve arbitrary code execution.
Patch released with other critical flaws
Adobe addressed CVE-2026-48282 on June 30 in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21. The fix was part of a broader security release that also closed five additional critical vulnerabilities in the company’s rapid application development platform. At the time, Adobe said it was not aware of active exploitation, but it still rated the update as priority 1 and urged customers to apply it quickly.
That urgency appears to have been justified. According to KEVIntel, exploitation of CVE-2026-48282 began within two hours of the flaw becoming public. KEVIntel founder Ryan Dewhurst said the organization observed real-world attack activity through its global honeypot network. The Canadian Centre for Cyber Security later issued its own alert, citing open-source reporting that indicated the vulnerability was being used in attacks.
Shorter response window for defenders
Adobe had not updated its advisory to reflect confirmed exploitation as of the latest reports. SecurityWeek said it contacted the company for comment.
Security leaders say the speed of exploitation highlights how little time organizations now have to test and deploy patches before attackers move in. Piyush Sharma, co-founder and CEO of Tuskira, noted that many teams must first determine whether exposed systems are reachable, then assess whether the flaw creates a practical attack path, and finally decide whether temporary controls are needed while remediation is underway.
- CVE-2026-48282: critical path traversal flaw in Adobe ColdFusion
- CVSS score: 10.0
- Patched: June 30, 2026
- Reported exploitation: within hours of public disclosure
- Authorities warning: Canadian Centre for Cyber Security
The reports add to growing concern that high-severity vulnerabilities are being weaponized almost immediately after disclosure, leaving security teams with increasingly narrow windows to respond.
