Adobe ColdFusion Vulnerability Exploited Within Hours of Disclosure
Security researchers confirmed active exploitation of CVE-2026-48282, a critical path traversal vulnerability in Adobe ColdFusion, just hours after its public disclosure on 30 June. The flaw, affecting ColdFusion 2025.9, 2023.20, and earlier versions, allows unauthenticated attackers to read or write arbitrary files, potentially leading to arbitrary code execution.
Cybersecurity researcher Ryan Dewhurst reported that KEVIntel’s global honeypot network detected exploitation attempts within two hours of the vulnerability’s details being released. Initial attacks, observed on 2 and 3 July, originated from an Indian IP address and involved probing for unpatched servers. Threat intelligence platform Dark Web Informer later confirmed that attackers were attempting to exploit the flaw to gain unauthorized access to exposed ColdFusion instances.
Adobe had initially stated it had no evidence of in-the-wild exploitation at the time of disclosure but urged immediate patching. The vulnerability is tied to ColdFusion’s Remote Development Services (RDS), a feature enabling IDEs to interact with servers over HTTP a component previously linked to multiple security flaws.
Security firm watchTowr published a detailed analysis on 2 July, emphasizing the recurring risks associated with RDS and the urgency of applying Adobe’s patches. The advisory follows Adobe’s release of fixes for seven critical-severity vulnerabilities across ColdFusion and Campaign Classic earlier in the week.
Adobe cybersecurity rating report: https://www.rankiteo.com/company/adobe
"id": "ADO1783398313",
"linkid": "adobe",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Technology',
'location': 'Global',
'name': 'Adobe ColdFusion',
'type': 'Software'}],
'attack_vector': 'Remote Exploitation',
'date_detected': '2026-07-02',
'date_publicly_disclosed': '2026-06-30',
'description': 'Security researchers confirmed active exploitation of '
'CVE-2026-48282, a critical path traversal vulnerability in '
'Adobe ColdFusion, just hours after its public disclosure on '
'30 June. The flaw allows unauthenticated attackers to read or '
'write arbitrary files, potentially leading to arbitrary code '
'execution. Exploitation attempts were detected within two '
'hours of disclosure, with initial attacks originating from an '
'Indian IP address.',
'impact': {'systems_affected': 'Adobe ColdFusion 2025.9, 2023.20, and earlier '
'versions'},
'investigation_status': 'Ongoing',
'lessons_learned': "Recurring risks associated with ColdFusion's Remote "
'Development Services (RDS) and the urgency of applying '
'patches promptly.',
'post_incident_analysis': {'corrective_actions': "Apply Adobe's patches and "
'review RDS configurations '
'for security risks.',
'root_causes': 'Critical path traversal '
'vulnerability in Adobe '
"ColdFusion's Remote Development "
'Services (RDS)'},
'recommendations': "Immediately apply Adobe's patches for ColdFusion to "
'mitigate the vulnerability.',
'references': [{'source': 'KEVIntel’s global honeypot network'},
{'source': 'Dark Web Informer'},
{'source': 'watchTowr'},
{'source': 'Ryan Dewhurst'}],
'response': {'remediation_measures': "Apply Adobe's patches for ColdFusion"},
'title': 'Adobe ColdFusion Vulnerability Exploited Within Hours of Disclosure',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-48282 (Path Traversal)'}