Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Adobe ColdFusion Vulnerability Exploited in Attacks

Hackers are exploiting a recently patched critical vulnerability (CVE-2026-48282) in Adobe ColdFusion that carries a CVSS score of 10/10.

Software security

Threat actors are exploiting a recently patched vulnerability in Adobe ColdFusion that carries a maximum severity rating.

Tracked as CVE-2026-48282 (CVSS score of 10/10), the security defect is described as a path traversal that could lead to arbitrary code execution.

It was patched on June 30 alongside five other max severity flaws in Adobe’s rapid application development platform that could be exploited for code execution.

Adobe released ColdFusion 2025 update 10 and ColdFusion 2023 update 21 to resolve these flaws, noting that it was not aware of any exploits in the wild targeting them.

However, the tech giant did assign a priority rating of 1 to the security update, urging users to apply the patches as soon as possible, given the high risk that attackers could start targeting the flaws.

However, according to the vulnerability intelligence platform KEVIntel, hackers began exploiting CVE-2026-48282 within two hours of its public disclosure.

Advertisement. Scroll to continue reading.

“KEVIntel captured in-the-wild exploitation within our global honeypot network,” KEVIntel founder Ryan Dewhurst said.

Shortly after, the Canadian Centre for Cyber Security also warned that the CVE has been exploited in attacks, based on open source reporting.

Adobe has yet to update its advisory to mention the vulnerability’s in-the-wild exploitation. SecurityWeek has emailed the company for a statement and will update this article if it responds.

“Adobe moved quickly to release a patch, but we’re seeing how dramatically the decision window has compressed. According to reports, attackers began exploiting the vulnerability within two hours of public disclosure, well before many organizations could realistically validate, prioritize, test, and deploy patches across production environments,” Tuskira co-founder and CEO Piyush Sharma commented.

“The challenge is determining which systems are reachable, which vulnerabilities create attack paths, and what compensating controls can reduce exposure while remediation is underway. As the window between disclosure and exploitation continues to shrink, organizations will increasingly compete on the speed and quality of their security decisions,” Sharma added.

Related: Linux Kernel Vulnerability Allows VM Escape on Intel and AMD Systems

Related: Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access Vulnerability

Related: Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution

Related: New CitrixBleed Vulnerability Exploited Immediately After Public Disclosure

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.