The point: The unauthenticated, remotely exploitable vulnerability CVE-2026-48282 in ColdFusion allows arbitrary file writing and code execution when RDS is enabled and unauthenticated.
A security vulnerability in Adobe ColdFusion with a CVSS score of 10 is being actively exploited within two hours of public analysis. CISA and Canadian authorities have warned of attacks on affected systems.
The security vulnerability CVE-2026-48282 affects Adobe ColdFusion and allows unauthenticated attackers to write arbitrary files to the server and execute malicious code with the privileges of the ColdFusion service account via a path traversal flaw in the Remote Development Services (RDS) FILEIO handler. The Common Vulnerability Scoring System rates the vulnerability with a score of 10.0 as critical. Affected are ColdFusion 2025 Update 9 and earlier as well as ColdFusion 2023 Update 20 and earlier.
Adobe released patches on 30 June 2026 via bulletin APSB26-68 (ColdFusion 2025 Update 10, ColdFusion 2023 Update 21). At the time of publication, the vendor had no evidence of active exploitation. After IT security researchers published detailed technical analyses on 2 July, the specialized platform KEVIntel recorded attacks in real time. Ryan Dewhurst, founder of KEVIntel, confirmed: “KEVIntel detected an exploitation in the wild within our global honeypot network.”
The Canadian Centre for Cyber Security issued a warning. The US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its catalog of actively exploited security vulnerabilities on 7 July 2026. Piyush Sharma, CEO of Tuskira, commented on the incident time window: “Attackers began exploiting within two hours of public disclosure, well before organisations could realistically validate, prioritise, test and deploy patches in production environments.”
Successful exploitation requires the RDS function to be enabled and its authentication to be unconfigured or disabled. Organizations with active ColdFusion instances should immediately verify that RDS is not accessible to the production system and deploy available patches without delay.
Source: www.it-daily.net · Published 9 July 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.