Adobe ColdFusion is under active attack. CISA placed CVE-2026-48282 on its Known Exploited Vulnerabilities list on July 7, 2026, a flaw rated at the very top of the severity scale. Adobe patched the bug on June 30. The gap between the fix and the first real-world exploitation was about two days. If you run ColdFusion where a developer feature called Remote Development Services is switched on and reachable, treat this as work for today.
We flagged this batch a week ago, when Adobe shipped the fixes and reported no known exploit. That post called the quiet a countdown, because ColdFusion has a long history of fast exploitation once a patch is public. The countdown has now run out for one of the flaws.
The timeline is the story. Adobe released the fix on June 30. On July 2, the research team at watchTowr Labs published a technical breakdown of several ColdFusion bugs from the bulletin. Within minutes, honeypot sensors run by threat-intelligence service KEVIntel logged exploitation attempts, according to Help Net Security. Five days later it was in the federal must-patch catalog. For ColdFusion, the publication of a technical write-up is now the starting gun for attacks, not a warning shot weeks ahead of them.
What the flaw actually does
CVE-2026-48282 is a path-traversal bug, scored CVSS 10.0, in ColdFusion's Remote Development Services (RDS). RDS is a feature that lets a developer's editor read and write files on a running ColdFusion server. The file handler behind it trusted the path supplied in a request without validating it, so a path containing directory-climbing sequences could point outside the folder RDS was meant to touch. An attacker can use that to write a file into the web root, place a ColdFusion script there, and have the server run it. That turns a file-write flaw into remote code execution on the host. watchTowr published a proof-of-concept; we are not reproducing it here.
Affected builds are ColdFusion 2025 up to Update 9 and ColdFusion 2023 up to Update 20, per the CVE record. Adobe fixed it in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21, in bulletin APSB26-68.
Who is actually exposed
Here is the part most of the coverage skips. A CVSS 10.0 reads as every ColdFusion server on the planet being one request from compromise. That is not quite the shape of this one. The vulnerable feature, RDS, is off by default. watchTowr's testing indicated that exploitation also needed RDS authentication to be disabled. So the practically exposed population is narrower: ColdFusion servers that have RDS enabled, left unauthenticated, and reachable from an untrusted network. That is a real and dangerous slice, common on developer-adjacent and older installs, but it is not everyone.
The reason to patch anyway is that this is one of several critical flaws in the same June 30 bulletin, RDS status drifts as servers get cloned and reconfigured, and you do not want your exposure resting on a single default holding. Confirm whether RDS is on and internet-facing, then close the CVE outright with the update.
How to tell if you were hit
Patching stops the next attempt. It says nothing about the window between June 30 and the day you patched, when an exposed server was reachable. If your ColdFusion instance had RDS open in that period, hunt before you assume you are clean. Signals worth checking:
- External POST requests to the ColdFusion IDE endpoint at
/CFIDE/main/ide.cfm, especially from addresses you do not recognize. - New
.cfmor.cfcfiles in the web root that you did not deploy, the classic webshell drop. - The ColdFusion Java process spawning a command shell such as
cmd.exe,powershell.exe, or/bin/sh, which it almost never does in normal operation.
File-integrity monitoring on the web root catches the webshell after the fact; a process-lineage alert on the ColdFusion service catches the command execution. Both belong in the detection stack for any internet-facing application server, not just for this week.
Patch today, then hunt the exposure window
The order of operations:
- Update to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21 now. This is the fix.
- Disable RDS on production servers unless a live workflow needs it. It is a development feature and has no place on an internet-facing production box.
- Restrict access to the
/CFIDE/path at your reverse proxy or firewall, so the IDE endpoints are not reachable from the public internet. - Hunt the web root for unexpected script files and review access logs for the request pattern above, covering the days before you patched.
The recurring lesson from ColdFusion, and from every patched-but-already-breached story, is that the update and the investigation are two separate jobs. This flaw closed the patch-to-exploitation window in about two days. The next widely deployed server product will close it faster, and the honest assumption for anything internet-facing is that the write-up landing is the moment the clock starts. Adobe has said it is moving to twice-monthly bulletins because the discovery rate is climbing; plan your patch cadence for a world where the exploit follows the advisory in hours, not weeks.