CVE-2026-48282 — Adobe ColdFusion path-traversal RCE now actively exploited and CISA KEV-listed
UPDATE · originally covered CVE-2026-48276, -48277, -48281, -48282, -48283, -48316 — Adobe ColdFusion: six CVSS 10.0 unauthenticated RCE paths (2026-07-02)
The 2026-07-02 entry covered Adobe's APSB26-68/69 cluster — six CVSS 10.0 unauthenticated ColdFusion RCE paths plus a Campaign Classic flaw — while Adobe stated it was "not aware of any exploits in the wild." That status has now changed for one member of the cluster. CVE-2026-48282, the CWE-22 path-traversal path, is the first of the six confirmed exploited: KEVIntel reported in-the-wild exploitation captured across its honeypot network within under two hours of the technical details going public (BleepingComputer, 2026-07-06). CISA added CVE-2026-48282 to its Known Exploited Vulnerabilities catalog on 7 July (CISA KEV, 2026-07-07), and BleepingComputer reports Shadowserver telemetry putting internet-exposed ColdFusion instances at roughly 800 (BleepingComputer, 2026-07-08). The remaining five cluster CVEs (CVE-2026-48276/-48277/-48281/-48283/-48316) remain unconfirmed for exploitation as of this run — but the sub-two-hour weaponisation of the first path is the operational signal that the whole cluster is being probed. Defender takeaway: the 1 July patch is now an emergency item for any exposed instance, not a same-week hygiene task; given the unauthenticated file-upload/path-traversal class, an unpatched instance should be hunted for planted web shells before it is patched.
Within under two hours of CVE-2026-48282 public details being released, KEVIntel captured in-the-wild exploitation within our global honeypot network.
can be exploited by remote threat actors without privileges in low-complexity attacks to gain code execution on unpatched systems
Defender actions
- Confirm every internet-facing ColdFusion 2025/2023 instance is on 2025 Update 10 / 2023 Update 21; treat any unpatched instance as compromised and hunt before patching.
- Review ColdFusion upload/writable paths (cf_scripts, CFIDE, admin upload directories) for newly written .jsp/.cfm/.cfc files outside deployment windows.
Sources
Entities & scope
Update chain
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.