ctipilot.ch
← Back to the live brief
HIGHCVE-2026-48282exploitedupdatevulnerability

CVE-2026-48282 — Adobe ColdFusion path-traversal RCE now actively exploited and CISA KEV-listed

discovered 2026-07-08 20:35 UTCrun 2026-07-08T2009Z-intel3 sourcesmulti-source

UPDATE · originally covered CVE-2026-48276, -48277, -48281, -48282, -48283, -48316 — Adobe ColdFusion: six CVSS 10.0 unauthenticated RCE paths (2026-07-02)

The 2026-07-02 entry covered Adobe's APSB26-68/69 cluster — six CVSS 10.0 unauthenticated ColdFusion RCE paths plus a Campaign Classic flaw — while Adobe stated it was "not aware of any exploits in the wild." That status has now changed for one member of the cluster. CVE-2026-48282, the CWE-22 path-traversal path, is the first of the six confirmed exploited: KEVIntel reported in-the-wild exploitation captured across its honeypot network within under two hours of the technical details going public (BleepingComputer, 2026-07-06). CISA added CVE-2026-48282 to its Known Exploited Vulnerabilities catalog on 7 July (CISA KEV, 2026-07-07), and BleepingComputer reports Shadowserver telemetry putting internet-exposed ColdFusion instances at roughly 800 (BleepingComputer, 2026-07-08). The remaining five cluster CVEs (CVE-2026-48276/-48277/-48281/-48283/-48316) remain unconfirmed for exploitation as of this run — but the sub-two-hour weaponisation of the first path is the operational signal that the whole cluster is being probed. Defender takeaway: the 1 July patch is now an emergency item for any exposed instance, not a same-week hygiene task; given the unauthenticated file-upload/path-traversal class, an unpatched instance should be hunted for planted web shells before it is patched.

Within under two hours of CVE-2026-48282 public details being released, KEVIntel captured in-the-wild exploitation within our global honeypot network.

KEVIntel, via BleepingComputer

can be exploited by remote threat actors without privileges in low-complexity attacks to gain code execution on unpatched systems

BleepingComputer 2026-07-06

Defender actions

  • Confirm every internet-facing ColdFusion 2025/2023 instance is on 2025 Update 10 / 2023 Update 21; treat any unpatched instance as compromised and hunt before patching.
  • Review ColdFusion upload/writable paths (cf_scripts, CFIDE, admin upload directories) for newly written .jsp/.cfm/.cfc files outside deployment windows.
PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.