
Attackers are now exploiting a maximum-severity Adobe ColdFusion vulnerability tracked as CVE-2026-48282, according to vulnerability intelligence company KEVIntel.
ColdFusion is a commercial web app development platform designed to help build and deploy enterprise-grade websites. The CVE-2026-48282 security flaw affects ColdFusion versions 2025.9, 2023.20, and earlier, and can be exploited by attackers without privileges to gain remote code execution on unpatched systems.
Adobe released security updates on Tuesday to address the vulnerability, saying that it posed a high risk of exploitation and urging admins to deploy patches immediately.
"This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform," Adobe noted. "Adobe recommends administrators install the update as soon as possible (for example, within 72 hours)."
Two days later, KEVIntel founder Ryan Dewhurst warned that threat actors began exploiting CVE-2026-48282 within two hours of Adobe's disclosure.
"Within under two hours of CVE-2026-48282 public details being released, KEVIntel captured in-the-wild exploitation within our global honeypot network," Dewhurst said.
The Canadian Center for Cyber Security (CCCS), the Government of Canada authority that coordinates the country's national response to cybersecurity incidents, also urged defenders to secure their systems against ongoing attacks.
"Open-source reporting indicates that CVE-2026-48282 is being exploited," the CCCS said. "The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates."
Internet security watchdog Shadowserver now tracks nearly 800 Adobe ColdFusion instances exposed online, but there is no information on how many are honeypots or have been secured against attacks targeting the CVE-2026-48282 flaw.
Adobe ColdFusion instances exposed online (Adobe)Last week, Adobe released patches for six maximum-severity flaws in the ColdFusion web app development and Campaign Classic marketing automation platforms, all of which are exploitable via low-complexity attacks that don't require user interaction and are tagged as high risk of being targeted.
The company has yet to flag any of them as actively exploited, saying that it "is not aware of any exploits in the wild for any of the issues addressed in these updates."
In early April, Adobe also issued emergency updates to fix an Acrobat Reader vulnerability (CVE-2026-34621) that had been exploited in zero-day attacks for at least four months, since December 2025.
Since November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included 79 vulnerabilities in Adobe products in its catalog of actively exploited flaws, 10 of which have also been abused in ransomware attacks.
Update July 06, 10:24 EDT: Changed attribution for the first in-the-wild exploitation report to KEVIntel's Ryan Dewhurst.
Test every layer before attackers do
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.











English (US) ·