Skip to main content
Emerging ThreatsMalware & Ransomware

Adobe ColdFusion Flaw Exploited in Targeted Attacks

Brightly-lit office workstation with laptop and server equipment.

There are 775 exposed ColdFusion instances online, according to data from the ShadowServer Foundation.

Adobe's June 30 bulletin: APSB26-68 and 11 CVEs

On June 30 Adobe released patches for 11 CVEs in the APSB26-68 security bulletin. Six of those vulnerabilities were assigned a CVSS score of 10 — the maximum severity rating — prompting Adobe to urge ColdFusion customers to apply updates immediately after at least one maximum severity flaw was reported as being exploited by attackers.

CVE-2026-48282: a path traversal that can yield arbitrary code execution

Security researchers flagged that CVE-2026-48282 was being targeted within hours of the vulnerability being made public. CVE-2026-48282 is described as a path traversal flaw in the ColdFusion web application development platform that could lead to arbitrary code execution. Adobe noted that maximum severity bugs are particularly dangerous because exploitation does not require user interaction.

At the same time, Adobe said it is still not aware of any exploits in the wild for CVE-2026-48282 or other flaws published in the APSB26-68 bulletin — a cautionary note that sits alongside reports of rapid targeting by researchers.

Exposure on the public internet and historical targeting

ShadowServer Foundation data showing 775 exposed ColdFusion instances provides a view of the attack surface available to opportunistic actors. The platform has a history as a target: Adobe’s materials note that in 2023 threat actors targeted ColdFusion in crypto-mining, DDoS and other attacks. The combination of public-facing instances, high-severity flaws and evidence that at least one bug was reported as being exploited has compounded the urgency of the bulletin.

Adobe doubles advisory cadence, citing AI-driven discovery

Adobe announced in June it will move from a monthly to a twice-monthly schedule for security advisories. “Twice-monthly bulletins will enable us to keep pace with the era of frontier AI. More vulnerabilities found means more fixes to deploy and a once-a-month publication window is no longer fast enough to stay ahead of our adversaries,” explained Adobe chief security officer Aanchal Gupta. Gupta added that the change “is the direct result of investing in improved vulnerability discovery. AI accelerates discovery, but resilience still rests on the fundamentals: visibility, layered controls, continuous monitoring, and the discipline to ship fixes quickly once they are found.”

What this means for technologists, affected enterprises, and adversaries

  • Technologists and security teams: The bulletin and the rapid targeting of CVE-2026-48282 underscore the need to prioritize APSB26-68 patches immediately, especially where public-facing ColdFusion instances exist; maximum severity flaws that permit code execution and require no user interaction raise the bar on urgency.
  • Affected enterprises and procurement leaders: The presence of 775 exposed instances and Adobe’s move to twice-monthly advisories mean organizations should review inventory and update processes so fixes can be applied at a faster rhythm aligned with Adobe’s new publication cadence.
  • Adversaries and threat actors: ColdFusion was already a known target in 2023 for crypto-mining, DDoS and other attacks; researchers observed CVE-2026-48282 being targeted within hours of disclosure, reinforcing that public disclosure can be followed quickly by exploitation attempts.

CISA’s Known Exploited Vulnerabilities catalog did not list CVE-2026-48282 or the other vulnerabilities from APSB26-68 at the time of writing, a status the reporting suggested “will surely change.” Whatever the status of official catalogs, the combination of high-severity ratings, observed targeting and hundreds of internet-exposed instances makes Adobe’s instruction to patch immediately a concrete — and timely — operational demand.

Original story