Adobe ColdFusion CVE-2026-48282: a max-severity RCE exploited within 2 hours of disclosure
> In short: CVE-2026-48282 is a maximum-severity unauthenticated remote code execution flaw in Adobe ColdFusion (versions 2025.9, 2023.20, and earlier). CVSS 9.8, no privileges required. Exploitation started within 2 hours of Adobe's disclosure on July 1, 2026, per KEVIntel's honeypot network. Shadowserver tracks ~800 ColdFusion instances exposed online.
Why this still matters in 2026
ColdFusion is the legacy web platform people love to declare dead — and that keeps running mission-critical government, legal, and enterprise portals. If you sell to the French public sector, legaltech, or large enterprises, your clients' intranet, document portal, or legacy module is disproportionately likely to sit on ColdFusion. The platform's persistence is exactly what makes it a target: large attack surface, slow patching cadence, valuable data behind it.
The flaw and the timeline
Adobe disclosed CVE-2026-48282 on July 1 as part of a batch of six maximum-severity ColdFusion/Campaign flaws. The bulletin described it as a high-risk-of-exploitation RCE achievable with low complexity and no user interaction. Adobe's standard recommendation: install within 72 hours.
The reality was faster. KEVIntel captured in-the-wild exploitation within *under two hours* of the public details going out. The Canadian Centre for Cyber Security (CCCS) issued an alert confirming active exploitation. This is the modern disclosure-to-exploitation curve: when a max-severity web-RCE drops, you measure the safe window in hours, not days.
The ColdFusion pattern
ColdFusion has been a recurrent CISA KEV occupant. Since November 2021, 79 Adobe product CVEs have made it into the catalog of actively exploited flaws, and 10 of those have been used in ransomware attacks. ColdFusion RCE flaws specifically have a history of mass scanning within 24-48 hours of disclosure. The reasons are structural:
When all three line up, you get the "2-hour" exploitation window we saw here.
What to do
The SaaS angle
For a SaaS vendor, ColdFusion usually shows up in two places: in your clients' legacy stack (which becomes your problem when you integrate with it), and occasionally in an acquired legacy product you're still maintaining. Either way, the lesson from CVE-2026-48282 is operational: any web platform with a history of unauthenticated RCE and an active scanner ecosystem must be on a sub-72-hour patch SLA, behind a gateway, and off the public internet. "We'll patch next month" is not a posture that survives the 2-hour window.
Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
SharePoint CVE-2026-58644: a critical RCE zero-day added to the CISA KEV catalog
A deserialization flaw (CVSS 9.8) in Microsoft SharePoint Server lets an attacker authenticated as Site Owner execute arbitrary code remotely. Actively exploited as a zero-day, added to the CISA KEV catalog on July 16, 2026 with a July 19 remediation deadline.
Zoom CVE-2026-53412: a critical account takeover in the Windows desktop client
An improper input validation flaw (CVSS 9.8) in Zoom Workplace for Windows, the VDI Client, and the Meeting SDK lets an unauthenticated attacker take over accounts via network access. Affects versions before 7.0.0. Fix available.
WordPress CVE-2026-8206: unauthenticated admin takeover via the Kirki plugin
The Kirki WordPress plugin (6.0.0 to 6.0.6) lets an unauthenticated attacker take over an administrator account via a broken password reset. CVSS 9.8, active exploitation, ~150,000 sites exposed. Fix: 6.0.7.
Sources
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.