Summary
- Adobe says CVE-2026-48282 has been exploited in limited attacks targeting ColdFusion.
- The bulletin covers ColdFusion 2025 and 2023 and includes multiple critical vulnerabilities.
- Legacy and internet-facing ColdFusion deployments remain a persistent enterprise and public-sector exposure risk.
Adobe has warned that a ColdFusion vulnerability has been exploited in limited attacks, raising the priority for organisations still running the application server in older enterprise and public-sector web estates.
The company’s APSB26-68 bulletin says security updates are available for ColdFusion 2025 and ColdFusion 2023. Adobe says the updates resolve critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file-system read, and security feature bypass.
The exploited issue is CVE-2026-48282, a path traversal vulnerability with a CVSS score of 10.0 that can lead to arbitrary code execution. Adobe says it is aware that the vulnerability has been exploited in the wild in limited attacks targeting ColdFusion. Affected versions are ColdFusion 2025 Update 9 and earlier, and ColdFusion 2023 Update 20 and earlier. Fixed versions are ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.
The bulletin includes several other critical vulnerabilities, including multiple arbitrary code execution issues with CVSS scores of 10.0, an arbitrary file-system read issue, privilege escalation flaws, reflected cross-site scripting, and a server-side request forgery issue. Adobe also recommends use of the latest MySQL Java connector, updated serial filter documentation, current Java runtime updates, and the relevant ColdFusion security configuration and lockdown guidance.
ColdFusion remains a familiar exposure category because it often sits inside long-lived web applications that are difficult to replace. Internal ownership may be unclear, the original developers may have left, and business functions may still depend on applications built years earlier. When an exploited critical flaw appears, internet exposure, sensitive data, and slow change control can combine quickly.
The public-sector and regulated-sector exposure is significant in the UK and Europe. Older web application stacks can persist in councils, education bodies, healthcare-related services, suppliers, and regulated organisations, often behind thin maintenance arrangements. A legacy platform does not become low risk because it is old. If it remains connected to users, data, authentication, or public-facing services, it needs current security ownership.
Exploitation status should change response sequencing. Organisations should identify ColdFusion deployments, confirm exposed versions, apply updates, review Adobe’s hardening guidance, inspect logs, and look for suspicious file access, upload activity, command execution, or unexpected configuration changes. Where systems are internet-facing, a patch record alone may not be enough to rule out compromise.
The issue also shows why software asset management remains central to resilience. Vulnerability programmes cannot prioritise platforms they cannot find, and legacy application servers are often underrepresented in inventories built around endpoints, cloud workloads, and mainstream business applications. Exploited application server vulnerabilities become urgent when attackers find the exposed estate before the organisation does.
Adobe’s ColdFusion security bulletin gives administrators the remediation baseline. Organisations still running ColdFusion need a defensible view of exposure, ownership, and evidence before limited exploitation turns into a wider incident response problem.




