CVE-2026-48282 — a maximum-severity Adobe ColdFusion vulnerability — is being exploited in attacks, the Canadian Center for Cyber Security (CCCS) warned on Thursday.
The vulnerability: CVE-2026-48282 and affected ColdFusion versions
The flaw tracked as CVE-2026-48282 affects Adobe ColdFusion releases 2025.9, 2023.20, and earlier. According to Adobe and the CCCS, the vulnerability can be exploited by an attacker without privileges to achieve remote code execution on unpatched systems. That combination — no required privileges and the potential for remote code execution — is what led vendors to classify the issue as maximum severity.
Adobe's patching guidance and recent history of ColdFusion fixes
Adobe released security updates on Tuesday to address CVE-2026-48282 and urged administrators to deploy the fixes immediately. Adobe said the issue "posed a high risk of exploitation" and recommended administrators "install the update as soon as possible (for example, within 72 hours)." The company also explained that the update "resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform."
Adobe additionally released patches the previous week for six maximum-severity flaws in ColdFusion and Campaign Classic; those flaws were described as exploitable via low-complexity attacks that do not require user interaction and were singled out as "high risk of being targeted." Adobe noted, however, that it "is not aware of any exploits in the wild for any of the issues addressed in these updates." The company has also issued emergency fixes earlier in 2026, including an Acrobat Reader vulnerability (CVE-2026-34621) that Adobe said had been exploited in zero-day attacks since December 2025.
CCCS warning and evidence of active exploitation
Two days after Adobe's Tuesday patches, the Canadian Center for Cyber Security — the Government of Canada authority that coordinates the country's national response to cybersecurity incidents — warned that "threat actors have already begun exploiting CVE-2026-48282" and encouraged defenders to secure systems. The Cyber Centre wrote: "Open-source reporting indicates that CVE-2026-48282 is being exploited." It further urged users and administrators to "review the provided web links and apply the necessary updates."
Internet exposure and prior patterns tracked by watchdogs
Internet security watchdog Shadowserver is tracking nearly 800 Adobe ColdFusion instances exposed online, the reporting shows. The available data does not indicate how many of those hosts are honeypots or have already been secured against attacks specifically targeting CVE-2026-48282. Separately, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has, since November 2021, included 79 Adobe-product vulnerabilities in its catalog of actively exploited flaws; 10 of those have also been abused in ransomware attacks, underscoring a history of Adobe product flaws being attractive targets for attackers.
How administrators, security teams, and defenders are affected
- Administrators: For organizations running ColdFusion 2025.9, 2023.20, or earlier, Adobe's explicit direction is to apply the released updates immediately and ideally within the 72-hour window Adobe suggested. The vendor's messaging frames the patches as addressing vulnerabilities with a higher risk of being targeted.
- Security teams: Because the flaw enables remote code execution without privileges and public reporting indicates active exploitation, monitoring for post-exploitation activity and validating the patch status of externally exposed ColdFusion instances should be priorities. Shadowserver's count of nearly 800 exposed instances provides a starting point for inventory and triage, but teams must confirm which instances are production, patched, or decoy.
- Defenders and incident responders: The CCCS advisory and Adobe's patches arriving two days apart illustrate a rapid window between disclosure and observed exploitation. Responders should treat observed attempts against CVE-2026-48282 as actionable and review web links and mitigation guidance highlighted by the Cyber Centre.
Two concrete facts frame the immediate risk: the vulnerability can be exploited without privileges to gain remote code execution, and public reporting already indicates exploitation. What remains unresolved in public reporting is how many of the nearly 800 externally visible ColdFusion instances remain vulnerable or unpatched — a tally that will determine the scale of the compromise risk in the coming days and weeks.




