A maximum-severity vulnerability in Adobe ColdFusion is being actively exploited in the wild, according to vulnerability intelligence firm KEVIntel. The flaw, tracked as CVE-2026-48282, allows unauthenticated attackers to achieve remote code execution on unpatched systems running ColdFusion versions 2025.9, 2023.20, and earlier.
Exploitation Began Almost Immediately
Adobe released patches on a Tuesday, characterizing the vulnerability as high-risk and recommending administrators apply updates within 72 hours. That window proved optimistic. KEVIntel founder Ryan Dewhurst reported that his organization’s global honeypot network recorded in-the-wild exploitation within under two hours of Adobe’s public disclosure.
The Canadian Centre for Cyber Security (CCCS) independently confirmed exploitation activity, citing open-source reporting and urging administrators to apply available patches without delay.
Exposure and Attack Surface
Internet security watchdog Shadowserver is currently tracking close to 800 Adobe ColdFusion instances exposed to the public internet. It is not known how many of those are honeypots or have already been patched against this specific flaw, leaving the true vulnerable population uncertain.
Broader ColdFusion Patch Context
CVE-2026-48282 is not an isolated issue for the platform. Adobe also recently released fixes for six additional maximum-severity flaws across ColdFusion and its Campaign Classic platform. Those vulnerabilities are exploitable through low-complexity, no-interaction attacks and were rated high risk, though Adobe has not yet flagged any of them as actively exploited.
Adobe’s Ongoing Vulnerability History
The active exploitation of ColdFusion fits a pattern that security teams should weigh carefully. Since November 2021, CISA has added 79 Adobe product vulnerabilities to its Known Exploited Vulnerabilities catalog, 10 of which have been leveraged in ransomware attacks. Earlier this year, Adobe also issued emergency patches for an Acrobat Reader zero-day, CVE-2026-34621, that had been exploited in attacks dating back to December 2025.
Security teams running ColdFusion in any version at or below 2025.9 or 2023.20 should treat patching CVE-2026-48282 as an immediate priority given confirmed exploitation and the availability of working exploits in the wild.
