The gist: CISA mandates government-wide patching of a critical, actively exploited ColdFusion vulnerability by Friday.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding patch deadline of Friday for US federal agencies to address a critical, actively exploited zero-day vulnerability in Adobe ColdFusion of the highest severity level. The directive underscores the immediate threat to critical infrastructure.
CISA has issued a Binding Operational Directive (BOD) to remediate a zero-day vulnerability in Adobe ColdFusion. The security flaw is already being actively exploited in the wild and carries the maximum severity rating. The patching deadline of Friday applies to all federal agencies and their information systems.
For CISOs in government and critical infrastructure, this represents an escalation: CISA’s imposition of a hard deadline is an indicator of the threat potential and active circulation of exploits in the wild. Agencies operating ColdFusion instances must act immediately to avoid compliance violations.
CISA’s prioritization of ColdFusion follows a established pattern: government agencies are preferred targets for state and non-state actors. An unpatched vulnerability in a widely deployed enterprise web framework creates attack vectors into sensitive systems. Organizations outside the federal government should await patch availability from Adobe and respond accordingly.
Source: www.bleepingcomputer.com · Published 8 July 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 of the EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.7.3.