CRITICAL: Adobe ColdFusion Bug (CVE-2026-48282) Weaponized Within Hours as CISA Starts the Patch Clock
Adobe ColdFusion is under active attack through CVE-2026-48282, a CVSS 10.0 path traversal flaw in the Remote Development Services component that hands unauthenticated attackers remote code execution. Exploitation began within about two hours of disclosure, and CISA has added it to its Known Exploited Vulnerabilities catalog with a July 10 federal patch deadline. Patch to ColdFusion 2025 update 10 or 2023 update 21 now.
There is a particular flavor of dread reserved for seeing the words "ColdFusion" and "path traversal" in the same headline, and this week security teams got the full tasting menu. Adobe's aging but stubbornly immortal application server is back in the news after CISA dropped a perfect ten severity flaw into its Known Exploited Vulnerabilities catalog, confirming what a handful of threat researchers had already watched unfold in real time. The attackers did not exactly agonize over the decision. They began firing exploits at CVE-2026-48282 within roughly two hours of the technical details becoming public, which is about as close to instant weaponization as this industry ever gets to witness.
If you run ColdFusion anywhere near the internet, this is the drop everything and patch it now category of problem. The vulnerability carries a CVSS score of 10.0, the maximum the scale allows, and it earns every point of that rating. It lives in ColdFusion's Remote Development Services component, specifically the RDS FILEIO handler, and it lets an unauthenticated attacker write arbitrary files anywhere on the server's file system. Anywhere includes the web root and the notorious CFIDE directory, which means writing a file is really just a polite way of saying remote code execution. No credentials, no user interaction, no clever social engineering. An attacker who can reach the RDS endpoint can drop a web shell and own the box, and from there the rest of your environment starts looking like a series of suggestions rather than boundaries.
The affected versions cover a wide swath of anyone still running this platform. CVE-2026-48282 impacts ColdFusion 2025.9, ColdFusion 2023.20, and every earlier build in those trains. Adobe pushed the fix on June 30 as part of an uncomfortable batch of seven maximum severity flaws spread across ColdFusion and Campaign Classic, releasing ColdFusion 2025 update 10 and ColdFusion 2023 update 21 to close the holes. The good news, if you can call it that, is that a patch exists and has existed for a little over a week. The bad news is that the exploitation started almost immediately after disclosure, so the window between "we should probably schedule that update" and "we are now doing incident response" was measured in hours rather than weeks.
None of this should shock anyone who has spent time defending ColdFusion. Remote Development Services is a legacy convenience feature meant to let developers edit files on a running server, and it is the kind of thing that should never, under any circumstances, be exposed to the public internet. Yet it consistently is, because ColdFusion deployments tend to be old, lightly maintained, and quietly humming along on some forgotten server that nobody wants to touch for fear of breaking a business application from 2014. That combination of internet exposure and neglect is precisely why ColdFusion has spent years as a reliable favorite for ransomware crews and initial access brokers alike. Attackers keep coming back because the platform keeps rewarding them.
The in the wild activity is not theoretical. Researchers observed exploitation attempts originating from an India based address at 103.207.14.220, hitting internet facing servers and hunting for the chance to plant files where they do not belong. The recommended detection approach reflects exactly how these attacks play out. If your ColdFusion server is or was internet facing at any point in the last week, you should be combing through the web root and the CFIDE directory for unauthorized files, unexpected scripts, and anything with a creation date that lines up suspiciously with late June or early July. Finding a stray CFM file you did not put there is the modern equivalent of finding a window open that you are certain you locked.
ColdFusion was not the only thing CISA flagged, and the broader batch tells a consistent story about attackers chasing easy file upload wins. Alongside the Adobe flaw, the agency added CVE-2026-56290, a 10.0 severity unauthenticated file upload bug in the Joomla Page Builder CK extension that has been exploited since June 27 to drop a web shell at a path under the media directory, keyed on a POST field so the operator can drive it remotely. It also added CVE-2026-48908, another 10.0 severity unrestricted upload flaw in JoomShaper's SP Page Builder that attackers have used to create rogue super user accounts by abusing an asset upload task, and which should be resolved by moving to version 6.6.2 or later. Rounding out the group is CVE-2026-55255, a cross tenant authorization bypass in the Langflow AI platform rated 6.1, which a lone opportunistic operator at 45.207.216.55 chained with a separate remote code execution flaw between June 22 and June 25 to steal large language model provider keys and AWS credentials. That last one is a quiet reminder that the AI tooling rushing into production carries the same tired vulnerability classes as everything that came before it.
For federal civilian agencies, CISA has set a hard deadline of July 10 to remediate all four, which is the agency's way of saying these are not hypothetical risks worth a leisurely change window. Everyone else should treat that same deadline as a very strong hint. The math here is brutally simple. A CVSS 10.0 flaw with confirmed exploitation, a public patch, and an attack that requires no authentication is a vulnerability that will be scanned for continuously across the entire internet until the population of unpatched servers approaches zero. If you are on that list, it is not a question of whether someone knocks, only when.
The remediation guidance is refreshingly unambiguous. Upgrade ColdFusion to 2025 update 10 or 2023 update 21 immediately, because there is no partial credit and no configuration tweak that makes an unpatched server safe. Beyond patching, take Remote Development Services off the internet entirely and disable it in any production environment, since RDS has no business being reachable outside a developer's local network in the first place. If you cannot patch within the hour for some legitimate operational reason, put the server behind restrictive network controls that block access to the RDS endpoint while you arrange the update, and then arrange the update anyway. For the Joomla and JoomShaper extensions, upgrade Page Builder CK to 3.6.0 and SP Page Builder to 6.6.2, and for Langflow deployments, apply the available fixes and rotate any provider or cloud keys that touched those systems, because a stolen key does not un steal itself when you patch.
Detection deserves as much attention as patching, because the fastest exploited vulnerabilities are precisely the ones where you may already be compromised before you finish reading the advisory. Hunt through the ColdFusion web root and CFIDE for new or modified files, scrutinize any account creation events on your Joomla installations, and review the media, images, templates, and administrator directories on those sites for planted scripts. On the Joomla side specifically, a file resembling a PHP shell under the page builder media path that responds to an unusual POST parameter is a strong signal that someone got there first. Web server logs showing unauthenticated POST requests to the RDS FILEIO handler or to the Joomla asset upload tasks are worth pulling and correlating, and any outbound connections to unfamiliar addresses from these servers deserve immediate investigation rather than a note in a ticket.
For managed service providers, this week is a genuine gift wrapped in urgency. A confirmed, actively exploited, maximum severity flaw in a widely deployed platform is the clearest possible justification for the emergency patching, continuous vulnerability scanning, and external attack surface monitoring services that clients so often deprioritize until something breaks. Reaching out proactively to every customer running ColdFusion or Joomla with a "we have already checked, and here is where you stand" message builds the kind of trust that turns a one time remediation into a retained managed detection and response engagement. Positioning threat intelligence, dark web monitoring, and rapid patch management as a bundled offering has never been an easier sell than in the middle of a CISA deadline that the whole industry is scrambling to meet.
References
- NVD CVE-2026-48282
https://nvd.nist.gov/vuln/detail/CVE-2026-48282
- The Hacker News: CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV
https://thehackernews.com/2026/07/cisa-adds-4-actively-exploited-adobe.html
- SecurityWeek: Critical Adobe ColdFusion Vulnerability Exploited in Attacks
https://www.securityweek.com/critical-adobe-coldfusion-vulnerability-exploited-in-attacks/
- CISA Known Exploited Vulnerabilities Catalog
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Concerned about this threat?
Our security team can assess your exposure and recommend immediate actions.
Protect Your Organization
Find vulnerabilities like this in your systems before attackers do.
24/7 monitoring to detect and respond to threats like these in real time.
Block phishing and malware delivery targeting your organization.
Map security controls to 26 frameworks including NIST, SOC 2, and HIPAA.