CISA tells federal agencies to patch critical ColdFusion flaw by Friday

The U.S. Cybersecurity and Infrastructure Security Agency has directed federal civilian agencies to patch a maximum-severity Adobe ColdFusion vulnerability by Friday after the flaw was added to its Kn...

The U.S. Cybersecurity and Infrastructure Security Agency has directed federal civilian agencies to patch a maximum-severity Adobe ColdFusion vulnerability by Friday after the flaw was added to its Known Exploited Vulnerabilities catalog.

Tracked as CVE-2026-48282, the issue affects Adobe ColdFusion 2025.9, 2023.20, and earlier versions. According to Adobe, the bug can be exploited remotely without authentication and with low attack complexity, giving an attacker the ability to execute code on vulnerable systems.

Adobe released fixes for the problem about a week ago and urged administrators to install them as soon as possible. The company described the update as addressing issues that were already being targeted in the wild or were considered likely to be targeted soon.

Researchers and government cybersecurity organizations reported signs of active abuse soon after the disclosure. KEVIntel founder Ryan Dewhurst said attackers appeared to begin exploiting the flaw within hours of Adobe’s announcement. The Canadian Centre for Cyber Security also advised defenders to secure affected systems quickly in light of ongoing attacks.

Shadowserver, which monitors exposed systems on the internet, says it currently sees nearly 800 ColdFusion instances reachable online. It is not clear how many of those systems are still vulnerable, protected by mitigation measures, or operated as decoys.

Federal patching deadline

CISA’s order applies to Federal Civilian Executive Branch agencies under Binding Operational Directive 26-04. That directive requires agencies to prioritize patching based on factors such as whether a flaw is actively exploited, whether attacks can be automated, whether the vulnerable system is exposed to the internet, and whether successful exploitation could give an attacker control of the target.

Adobe also fixed six other critical vulnerabilities in ColdFusion and Campaign Classic in the same round of updates. The company has not said those issues are being exploited in the wild.

ColdFusion has remained a frequent target for attackers. Since 2021, CISA has added dozens of Adobe-related vulnerabilities to its exploited list, including several that were later linked to ransomware activity.