Lead Analysis
Security & Risk6 min

ColdFusion CVE-2026-48282: Active Exploitation and CISA Deadline for U.S. Federal Agencies Expires Today

Mão prende etiqueta vermelha de urgência em quadro de cortiça dentro de um SOC pouco iluminado, monitores âmbar exibindo logs ao fundo, garrafa térmica de café e diretiva impressa sobre a mesa.

The path traversal vulnerability in Adobe ColdFusion was patched on June 30, but attackers began exploiting it within two hours. CISA set July 10 as the federal deadline.

Path Traversal with CVSS 10 and Short Exploitation Window


CVE-2026-48282 is a path traversal vulnerability in Adobe ColdFusion classified with a CVSS score of 10.0, the highest rating. The vulnerability was patched on June 30, alongside six other critical severity fixes for the platform. The window between patch deployment and exploitation was brief: researchers from watchTowr published a technical analysis on July 2, and according to threat intel service KEVIntel, the first honeypots began receiving exploitation attempts hours later. Another reading from the same source indicates that valid attacks started within two hours of the public disclosure.


Exploitation only occurs on servers with Remote Development Services (RDS) enabled and RDS authentication turned off. This combination is not factory default but is common in legacy intranet environments and forgotten development copies in production. Adobe urges immediate upgrade to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21.


CISA Sets Domestic Deadline, Global Private Sector Remains Exposed


On July 7, CISA added the CVE to the Known Exploited Vulnerabilities catalog. Binding Operational Directive 26-04 mandates U.S. federal civilian agencies to rectify the issue by July 10, with the deadline expiring this Friday. The domestic pace is strict, but the global private sector operates without an equivalent oversight and responds at the vendor's disclosure rhythm.


As of this writing, there has been no confirmed corporate client identified as a victim. No ransomware group has claimed responsibility for the incident thus far, and Adobe has not publicly commented on cases of exploitation beyond acknowledging the CVE. Incident response analysts describe the observed pattern as scan-and-drop, involving the upload of a web shell followed by remote execution under the privileges of the ColdFusion process.


What is Confirmed About the Vector


The attack exploits path manipulation to write files outside the web root, which paves the way for web shell deployment and remote execution. SecurityWeek and Bleeping Computer describe the observed exploitation pattern, and threat intel reports point to IP address 103.207.14.220, located in India, as the source of early scans. There is no public attribution to a specific group.


Adobe has classified the patch queue as priority 1, the highest label in its internal scheme. This indicates a high risk of exploitation and recommends patching within 72 hours of disclosure. For servers exposed to the internet during this interval, Adobe advises searching for indicators such as unauthorized files under the web root and under the /CFIDE/ directory.


Why ColdFusion Remains a Target in 2026


Adobe has positioned the platform as a rapid development vehicle for intranet and government portals. The installed base is not large in number, but it contains sensitive assets. Over the past two years, ColdFusion has accumulated at least five entries in the KEV catalog, including CVE-2024-53961, exploited in the same path traversal pattern in 2024. Latest Hacking News described the sequence as "design failure, not bad luck" in an analysis published on July 8. The architectural criticism is harsh but is supported by the repeated occurrence of the vector.


For buyers, the practical decision lies between immediate patching and planned migration. Migrating a ColdFusion portal to a modern stack typically costs between $400,000 and $2 million depending on the volume of custom CFML, explaining the survival of legacy assets within the risk window. The KEV catalog serves, in practice, as the timer that forces the board to recognize the cost of delay.


What Changes for the CISO in Two Markets


In the U.S., the reading is operational: the CISA deadline applies to federal agencies, but B2B contracts with the government typically require patch parity. If your company serves a federal client, the internal audit cycle for the next RFP will inquire about this fix. It’s advisable to conduct an internal inventory today to locate forgotten ColdFusion servers in subsidiaries.


In the UK, the NCSC issued a communication with the same urgency for Whitehall agencies and local councils, without an equivalent BOD. British banks with legacy intranets in ColdFusion receive the same guidance on a voluntary basis; the volume of patches in the next 72 hours will be the proxy for reading the buy-side in London. In India, the coincidence of the originating IP with the region housing the largest MSSP delivery centers in the subcontinent merits attention: if the same infrastructure is reused in other campaigns, the cost of containers increases for the Asian client outsourcing SOC. The old asset carries political cost, and the KEV timer is ticking.

Lead Analysis