Back to blog
CVEColdFusionRCEtechnique

Adobe ColdFusion CVE-2026-48282: a max-severity RCE exploited within 2 hours of disclosure

Published on 2026-07-066 min readCleanIssue

> In short: CVE-2026-48282 is a maximum-severity unauthenticated remote code execution flaw in Adobe ColdFusion (versions 2025.9, 2023.20, and earlier). CVSS 9.8, no privileges required. Exploitation started within 2 hours of Adobe's disclosure on July 1, 2026, per KEVIntel's honeypot network. Shadowserver tracks ~800 ColdFusion instances exposed online.

Why this still matters in 2026

ColdFusion is the legacy web platform people love to declare dead — and that keeps running mission-critical government, legal, and enterprise portals. If you sell to the French public sector, legaltech, or large enterprises, your clients' intranet, document portal, or legacy module is disproportionately likely to sit on ColdFusion. The platform's persistence is exactly what makes it a target: large attack surface, slow patching cadence, valuable data behind it.

The flaw and the timeline

Adobe disclosed CVE-2026-48282 on July 1 as part of a batch of six maximum-severity ColdFusion/Campaign flaws. The bulletin described it as a high-risk-of-exploitation RCE achievable with low complexity and no user interaction. Adobe's standard recommendation: install within 72 hours.

The reality was faster. KEVIntel captured in-the-wild exploitation within *under two hours* of the public details going out. The Canadian Centre for Cyber Security (CCCS) issued an alert confirming active exploitation. This is the modern disclosure-to-exploitation curve: when a max-severity web-RCE drops, you measure the safe window in hours, not days.

The ColdFusion pattern

ColdFusion has been a recurrent CISA KEV occupant. Since November 2021, 79 Adobe product CVEs have made it into the catalog of actively exploited flaws, and 10 of those have been used in ransomware attacks. ColdFusion RCE flaws specifically have a history of mass scanning within 24-48 hours of disclosure. The reasons are structural:

  • Internet-exposed install base concentrated in enterprise/government networks with slow patching.
  • High-impact primitives (unauthenticated RCE, deserialization, arbitrary file upload).
  • Predictable endpoints that scanners can fingerprint and hit at scale.
  • When all three line up, you get the "2-hour" exploitation window we saw here.

    What to do

  • Patch now if you operate ColdFusion 2025.9, 2023.20, or earlier. Apply the corresponding Adobe bulletin (APSB26-50) on every instance, including the ones "only used internally."
  • Inventory your exposure. Shadowserver tracks ~800 ColdFusion instances exposed online — but the real number including internal and partner-hosted instances is much larger. The first step many teams miss is knowing they even run a ColdFusion server.
  • Remove ColdFusion from the internet if at all possible. The platform's risk profile in 2026 is incompatible with direct internet exposure. Reverse-proxy it behind an authenticating gateway, restrict admin endpoints, and apply WAF rules tuned for the known ColdFusion attack patterns.
  • Hunt for compromise predating the patch: webshells, unexpected scheduled tasks, new admin accounts, unusual outbound connections. ColdFusion RCE flaws are routinely followed by persistent webshell deployment.
  • Plan the exit. If you operate ColdFusion, the strategic answer is a migration plan, not an eternal patching cadence — every quarter brings a new max-severity flaw, and the exploitation window keeps shrinking.
  • The SaaS angle

    For a SaaS vendor, ColdFusion usually shows up in two places: in your clients' legacy stack (which becomes your problem when you integrate with it), and occasionally in an acquired legacy product you're still maintaining. Either way, the lesson from CVE-2026-48282 is operational: any web platform with a history of unauthenticated RCE and an active scanner ecosystem must be on a sub-72-hour patch SLA, behind a gateway, and off the public internet. "We'll patch next month" is not a posture that survives the 2-hour window.

    Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit