Skip to main content
Emerging Threats

CISA Mandates Patching of Exploited Adobe ColdFusion Flaw

Government facility with computer terminals and a laptop screen displaying a blurred warning message.

KEVIntel founder Ryan Dewhurst warned two days after Adobe issued patches that attackers had begun exploiting CVE-2026-48282 within two hours of Adobe's disclosure.

CVE-2026-48282: scope and technical severity

The flaw, tracked as CVE-2026-48282, affects Adobe ColdFusion versions 2025.9, 2023.20, and earlier. According to public advisories, the vulnerability can be exploited by remote threat actors without privileges in low-complexity attacks to gain code execution on unpatched systems. Adobe characterized the set of fixes that include CVE-2026-48282 as addressing "maximum-severity" issues and urged administrators to deploy the updates immediately.

Adobe explicitly advised administrators to install the update "as soon as possible. (for example, within 72 hours)." The company also stated: "This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform."

CISA adds the flaw to its KEV list and issues a federal patching order under BOD 26-04

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-48282 to its list of vulnerabilities actively exploited in attacks. CISA ordered U.S. Federal Civilian Executive Branch (FCEB) agencies to patch their systems by Friday, June 10, as required by Binding Operational Directive (BOD) 26-04.

BOD 26-04, published last month, directs federal agencies to prioritize patching based on several concrete criteria: whether flaws are included in CISA's Known Exploited Vulnerabilities (KEV) catalog; whether exploitation can be automated for large-scale attacks; whether vulnerable assets are exposed online; and whether successful exploitation grants attackers partial or total control of the targeted device.

Early exploitation signals and internet exposure

Public reporting tied to the patch release indicates rapid exploitation in the wild: KEVIntel's founder said attackers began exploiting the flaw within two hours of Adobe's disclosure. The Canadian Center for Cyber Security (CCCS) also advised network defenders to secure their systems against ongoing attacks targeting the vulnerability.

Internet security watchdog group Shadowserver currently tracks nearly 800 Adobe ColdFusion instances exposed online. The public record notes that there is no information on how many of those are honeypots or have been secured against attacks targeting CVE-2026-48282, leaving measurable exposure visible but not fully characterized.

Adobe's patch cadence and related fixes

Adobe released security updates for ColdFusion one week before CISA's action and separately patched six other maximum-severity flaws in the ColdFusion web app development and Campaign Classic marketing automation platforms the prior week; those six were similarly tagged as high risk of being targeted. For those additional six issues, Adobe said it "is not aware of any exploits in the wild for any of the issues addressed in these updates."

Earlier this year, in early April, Adobe issued emergency updates for an Acrobat Reader vulnerability (CVE-2026-34621) that Adobe said had been exploited as a zero-day since December 2025. That sequence of advisories shows multiple high-severity Adobe fixes and at least one noted instance of an extended zero-day exploitation window.

What this means for FCEB agencies, administrators, and security teams

  • FCEB agencies: The directive requires patching by Friday, June 10, under BOD 26-04, making CVE-2026-48282 a near-term compliance priority for U.S. federal civilian executive branch systems.
  • Administrators of ColdFusion instances: Adobe recommended installing the update "as soon as possible (for example, within 72 hours)," and the vendor's disclosure and subsequent exploit reports indicate that delays increase exposure to active attacks.
  • Security teams and network defenders: Observed exploitation beginning within hours of disclosure and the presence of nearly 800 exposed instances tracked by Shadowserver are signals to prioritize detection, incident response, and the verification of public-facing assets listed as ColdFusion instances.

CISA's formal addition of CVE-2026-48282 to its actively exploited list, accompanied by a BOD 26-04 deadline, converted a vendor patch advisory into an enforceable federal action with a short clock. With reports of exploitation appearing rapidly after disclosure and hundreds of exposed ColdFusion instances visible online, the public record ties an immediate, measurable risk to a narrow technical fix: applying Adobe's security updates for the listed ColdFusion versions.

Original story