Close-up of a computer screen displaying programming code in a dark environment.
News

CVE-2026-48282: Adobe ColdFusion RCE Exploited in the Wild Within Two Hours of Disclosure

CVE-2026-48282 is a max-severity Adobe ColdFusion RCE exploited within 2 hours of disclosure. Around 800 instances exposed online. Patch immediately.
Sami Malik
Copywriter

Adobe published a patch for a critical ColdFusion vulnerability on a Tuesday. By Thursday, Ryan Dewhurst, founder of KEVIntel, reported that his organisation's global honeypot network had captured in-the-wild exploitation. The gap between disclosure and active attacks was less than two hours. The vulnerability is CVE-2026-48282, a maximum-severity remote code execution flaw in Adobe ColdFusion that requires no credentials and no user interaction. Nearly 800 ColdFusion instances are currently exposed to the internet.

Adobe's advisory had recommended that administrators deploy the patch within 72 hours, describing CVE-2026-48282 as a vulnerability "being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild." That was cautious language for a disclosure moment. By the time the 72-hour window expired, exploitation was already confirmed by multiple independent sources, including the Canadian Centre for Cyber Security, which issued its own alert urging defenders to act.

What CVE-2026-48282 Is

ColdFusion is a commercial web application development platform produced by Adobe, widely used for building enterprise-grade websites and internal business applications. It is particularly prevalent in organisations that built web infrastructure in the early 2000s and have maintained ColdFusion-based applications since. The platform has a long history of critical vulnerabilities that draw rapid exploitation after disclosure, making it a consistent entry on CISA's Known Exploited Vulnerabilities list. Since November 2021, CISA has added 79 Adobe product vulnerabilities to that catalogue.

CVE-2026-48282 affects ColdFusion version 2025.9, version 2023.20, and earlier releases. The flaw allows a remote attacker with no privileges to execute arbitrary code on the affected server. The CVSS score is the maximum possible: 10.0. The attack requires no user interaction and is classified as low-complexity, meaning the steps to reach a working exploitation are straightforward once the technique is known. Adobe classified it as a maximum-severity issue posing a high risk of exploitation, which in retrospect was accurate: the exploitation timeline proved the assessment correct within hours.

Two Hours From Patch to Exploitation

The sequence of events around CVE-2026-48282 is worth examining carefully because it compresses a patching timeline problem that normally plays out over days or weeks into a case study that fits inside a single working day.

Adobe released patches on Tuesday. KEVIntel's honeypot network, which runs internet-facing instances of vulnerable services to observe attack traffic, captured the first exploitation attempts against CVE-2026-48282 within roughly two hours of the patch becoming public. Dewhurst's announcement on Thursday documented what his network had seen. The Canadian Centre for Cyber Security issued an independent advisory urging organisations to apply the fix. Shadowserver, which tracks internet-facing services across the global IP space, reported approximately 800 ColdFusion instances exposed online.

The two-hour exploitation timeline is consistent with how sophisticated actors now operate against newly disclosed web application vulnerabilities. The publication of a patch is itself a signal: it tells attackers that a vulnerability exists, often provides enough information to reverse-engineer the fix and understand the underlying flaw, and identifies the range of software versions that are affected. Attackers who maintain standing capabilities to scan for and test web application vulnerabilities can move from patch publication to working exploit within hours for certain vulnerability classes. Remote code execution on a web application platform with no authentication required is precisely the class that draws the fastest response.

The Exploitation Pattern ColdFusion Attracts

The history of ColdFusion exploitation is relevant context for understanding what CVE-2026-48282 represents in practice. ColdFusion servers that have been compromised through remote code execution vulnerabilities have been used to deploy web shells, establish persistent access that survives patching of the initial vulnerability, exfiltrate database contents, and serve as pivot points into internal networks. The platform's prevalence in financial services, healthcare, and government agencies makes it a target where the data accessible from a compromised server tends to be high-value.

Earlier in 2026, Adobe issued emergency patches for six additional maximum-severity flaws in ColdFusion and Campaign Classic. The company noted at the time that it was not aware of exploitation in the wild for those six. The situation with CVE-2026-48282 is different: exploitation was confirmed before the advisory cycle had completed its first week. That difference in timeline suggests either that CVE-2026-48282 was identified and weaponised before Adobe's disclosure, or that the vulnerability class is simple enough that working exploits were developed within the two-hour window following publication. Either scenario has the same operational implication for administrators: the assumption that there is a comfortable patching window does not hold for this vulnerability.

April 2026 produced a separate ColdFusion-adjacent data point: Adobe issued emergency patches for an Acrobat Reader vulnerability, CVE-2026-34621, that had been exploited as a zero-day since December 2025, a period of roughly four months during which attackers had undetected access to the flaw. The contrast between that timeline, where attackers had months of silent exploitation before Adobe's disclosure, and the CVE-2026-48282 timeline, where exploitation began within hours of the vendor's own disclosure, illustrates the two ends of the spectrum that Adobe vulnerabilities now occupy.

What Defenders Must Do Now

The immediate action is straightforward: identify every ColdFusion installation in the environment, confirm the version against the affected range (2025.9 and 2023.20 and below), and apply the Adobe-issued patch. ColdFusion's update mechanism is documented in Adobe's security advisory. In environments where ColdFusion is managed by a central application operations team rather than a security team, the communication of urgency matters: a 72-hour patching recommendation that would normally be treated as a standard patch cycle target should be treated as a hard deadline given the confirmed exploitation timeline.

For any ColdFusion server that was internet-exposed and unpatched during the window between Adobe's Tuesday publication and a subsequent patch application, the appropriate response is not to patch and move on. It is to treat the server as potentially compromised and to conduct a review for indicators of compromise before returning it to production. Web shell deployments are the most common post-exploitation payload on ColdFusion servers following an RCE vulnerability; they are often placed in web-accessible directories with non-obvious filenames and persist after patching. A log review covering the period between the vulnerability's disclosure and the application of the patch, looking specifically for unusual CFML file creation events, unexpected outbound connections, and new files in web root directories, is the appropriate post-patch step.

The Shadowserver count of approximately 800 internet-exposed ColdFusion instances globally is an undercount in the sense that it captures only directly accessible instances rather than those sitting behind load balancers, reverse proxies, or WAFs that might mask the underlying technology. Organisations that run ColdFusion behind a WAF should verify that their WAF rule set includes detection for the specific exploitation pattern associated with CVE-2026-48282 and that those rules were updated before the exploitation window opened.

The Broader ColdFusion Security Posture Problem

ColdFusion's security history creates a specific challenge for organisations that have inherited deployments rather than built them from scratch. The platform is often running business-critical applications built by teams that no longer exist in their original form, on versions that have not been updated because the application was never tested against newer ColdFusion releases, on servers that have not been included in the standard patching cycle because they are considered legacy infrastructure. That combination, critical data, outdated software, limited operational ownership, is the configuration that makes ColdFusion servers disproportionately valuable to attackers.

The 79 Adobe product vulnerabilities in CISA's Known Exploited Vulnerabilities catalogue since November 2021 represent a pattern that is specific enough to be actionable as a procurement and maintenance policy decision. Organisations running ColdFusion have a measurably higher exposure to actively exploited critical vulnerabilities than those running alternatives. Where migration away from ColdFusion is not currently feasible, the minimum viable security posture includes current patching, network segmentation to limit what a compromised ColdFusion server can reach, and regular web shell scanning of the server's file system. Where migration is feasible, CVE-2026-48282 is a useful argument for accelerating that work.

Post-Exploitation Patterns on ColdFusion Servers

The pattern of post-exploitation activity on compromised ColdFusion servers following remote code execution vulnerabilities is well-documented by incident response firms and government agencies. The most common first payload is a web shell: a small CFML or JSP file placed in a web-accessible directory that accepts commands from the attacker via HTTP requests. Web shells are persistent across reboots, survive patching of the original vulnerability, and are often placed with filenames that blend into legitimate application files.

CISA's advisories on prior ColdFusion exploitation have specifically documented attackers using the initial RCE to read ColdFusion configuration files containing database connection strings and application credentials. These credentials typically have access to the application's database, which in enterprise ColdFusion deployments often contains customer data, employee records, or internal business information. The step from web shell to database credential exfiltration is one of the fastest paths in post-exploitation activity on this platform.

Beyond the server itself, a compromised ColdFusion instance is often positioned well inside the network perimeter. ColdFusion servers are typically not in DMZ segments because they need database access and connections to internal services. An attacker who establishes persistent access via a web shell can use the ColdFusion server as a pivot point to reach internal systems that are not directly exposed to the internet. Network security tools that focus on external threat detection miss this lateral movement because it originates from an internal, trusted IP address.

The 72-Hour Window That Has Already Closed

Adobe's language in its advisory, recommending patching "within 72 hours" for vulnerabilities it classifies as being targeted in the wild, is intended as an upper bound, not a comfortable deadline. For CVE-2026-48282, that 72-hour window had already seen confirmed exploitation before it expired. This is a useful data point for any organisation that uses vendor-suggested patching windows as its operational target: when a vendor recommends 72 hours and exploitation is confirmed in under two hours, the 72-hour window is a retrospective description of urgency, not a prospective safe period.

The Shadowserver count of approximately 800 internet-exposed ColdFusion instances represents the directly accessible population. It does not include instances accessible only through VPNs or internal networks, which are relevant to insider threats and to attackers who have already established a presence inside the network through other means. The figure is useful for situational awareness about the global exposed surface but should not be read as the total population at risk. Any ColdFusion instance running the affected versions, regardless of whether it is directly internet-accessible, should be treated as a patching target.

ColdFusion in the Enterprise: Who Still Runs It and Why

The population of approximately 800 internet-exposed ColdFusion instances documented by Shadowserver is, paradoxically, both a small number and a high-value set of targets. ColdFusion has been on a declining adoption trajectory since the mid-2000s, when PHP, Ruby, and later Node.js began displacing it for new development. The organisations that still run ColdFusion at scale in 2026 are largely those that built critical web applications on the platform during its peak adoption period and have not yet completed migration to modern alternatives.

This creates a specific profile: legacy ColdFusion installations are disproportionately concentrated in sectors that built significant web infrastructure in the late 1990s and early 2000s, primarily government agencies, healthcare organisations, higher education institutions, and financial services firms. These sectors also handle some of the most sensitive data categories: government records, medical records, student financial data, and financial account information. The organisations running ColdFusion are not small targets of opportunity. They are often substantial organisations with valuable data and with security programmes that were not necessarily designed around the ColdFusion-specific vulnerability lifecycle.

The administrative burden of maintaining ColdFusion also contributes to the patching gap. ColdFusion updates are not distributed through operating system update channels or standard application patch management frameworks. They require a dedicated process: downloading the update from Adobe, running the installation against each ColdFusion instance, verifying that the application continues to function correctly after the update, and repeating this process for each environment. In organisations where the ColdFusion application is the responsibility of an application development team rather than a security team, the patch may not even be in the security team's visibility until a vulnerability with active exploitation forces the conversation.

The CISA KEV Catalogue as a Patching Signal

CISA's Known Exploited Vulnerabilities catalogue has become the most widely used prioritisation tool for government agencies under the Binding Operational Directive 22-01, and increasingly influential in the private sector as well. The 79 Adobe product entries in the catalogue since November 2021 are not randomly distributed across Adobe's product portfolio. ColdFusion is represented disproportionately because its vulnerability profile, high-severity unauthenticated remote code execution flaws, is exactly the profile that translates into active exploitation.

CVE-2026-48282 will be added to the KEV catalogue once CISA formally documents the confirmed exploitation. At that point, federal agencies under BOD 22-01 will have a statutory deadline for remediation. But the exploitation timeline documented for this vulnerability, active attacks within two hours of Adobe's disclosure, means that the window between disclosure and KEV catalogue addition is itself a period of active risk. The KEV catalogue is a trailing indicator, not a leading one. For vulnerabilities with this exploitation timeline, waiting for the KEV listing to appear before beginning the patch deployment is not a viable risk management strategy.

ColdFusion Alternatives and Migration Considerations

For security leadership at organisations that have been managing ColdFusion's vulnerability lifecycle for years, CVE-2026-48282 is an opportunity to restart or accelerate a migration conversation that may have stalled. The total cost of ownership calculation for legacy ColdFusion deployments has shifted: the security overhead of managing a platform with a documented exploitation-within-hours history, on software with no path to a current-generation development ecosystem, now competes against migration costs that may have previously seemed prohibitive.

Modern CFML engines including Lucee, which is open-source and actively maintained, provide a migration path for legacy ColdFusion applications without requiring a complete rewrite. Lucee runs most ColdFusion markup with minimal modification and has a substantially better security track record than Adobe ColdFusion. For organisations whose primary concern is the legacy vulnerability exposure of Adobe's proprietary ColdFusion platform rather than the CFML language itself, a migration to Lucee or BoxLang addresses the vendor-specific vulnerability component while preserving the application code investment.

For organisations where a full migration is not currently feasible, the minimum security posture includes current patching, network access controls that limit which IP ranges can reach the ColdFusion server's HTTP interface, a WAF with rules covering known ColdFusion exploitation patterns, and regular integrity checks of the web application's file system to detect web shells or other persistence mechanisms. None of these compensating controls eliminates the underlying risk, but together they reduce the probability of a successful undetected compromise to a manageable level for the period of time required to complete a migration or maintain current patching.

The Web Application Firewall Gap

Organisations that have deployed web application firewalls in front of their ColdFusion servers may have a degree of protection against the specific exploitation pattern associated with CVE-2026-48282, depending on how quickly their WAF vendor updated rules after Adobe's disclosure. WAF rules for ColdFusion exploitation typically target the specific request patterns that reach the vulnerable component, such as unusual requests to ColdFusion's administrative endpoints or requests that contain serialised Java objects in formats associated with previous ColdFusion deserialization vulnerabilities.

However, WAF protection for a maximum-severity RCE with active exploitation has important limitations. WAF vendors update their rule sets after learning about exploitation patterns, not before. In the two-hour window between Adobe's disclosure and confirmed exploitation, no WAF vendor had updated rules specifically targeting CVE-2026-48282 exploitation. Even after rule updates are available, WAF bypass techniques are well-documented for ColdFusion specifically, because the platform's history of critical vulnerabilities means the research community has invested in understanding its attack surface comprehensively. A WAF is a useful layer of defence in depth for ColdFusion, but it is not a substitute for patching and should not be treated as a reason to deprioritise the update.

For organisations that completed the patch deployment during the first 48 hours after Adobe's disclosure, the immediate risk from CVE-2026-48282 is mitigated. The ongoing work is to verify that no web shells or other persistence mechanisms were deployed during any window when ColdFusion was accessible and unpatched. A recurring scheduled scan of the ColdFusion web root for files with unusual creation timestamps, unusual file extensions, or content patterns consistent with web shells is a low-cost operational addition that catches late-arriving indicators of compromise that were missed in an initial post-patch review.

How Defendis Can Help

Unpatched routers, exposed privileged access management portals, and web application servers running outdated software all represent footprints your organisation may not know it has. Defendis continuously monitors the attack surface visible from the outside: exposed services, leaked credentials, and chatter in underground markets where initial access to specific organisations is traded. When a new critical vulnerability lands against software your organisation runs, or when credentials from your domain appear in a stealer log, your team gets the signal before an attacker acts on it. See how early exposure detection changes incident outcomes, or request a tailored briefing for your organisation.

About the author
Sami Malik is a copywriter passionate about crafting clear, engaging, and impactful content that helps brands connect with their audience through storytelling and strategy.

Related Articles

Discover simplified
Cyber Risk Management
Request access and learn how we can help you prevent cyberattacks proactively.