Adobe ColdFusion Under Active Attack: CVE-2026-48282 & 6 More CVSS 10.0 Flaws — Patch Now Before Your Server Is Next
On 1 July 2026, Adobe published a security bulletin that should have stopped every ColdFusion administrator cold: seven vulnerabilities carrying the maximum possible CVSS score of 10.0, all enabling unauthenticated remote code execution on unpatched servers — and within hours of disclosure, at least one of them was already being exploited in the wild. If your organisation runs Adobe ColdFusion on-premise, this is not a “patch it in the next sprint” situation. It is a “drop everything and patch now” situation.
- Adobe patched 9 vulnerabilities on 1 July 2026 across ColdFusion 2023/2025 and Campaign Classic v7 — 7 carry CVSS 10.0.
- CVE-2026-48282 (path traversal / arbitrary file write, CVSS 10.0) was exploited in the wild within hours of disclosure.
- The confirmed exploitation attempt originated from an IP geolocated to India — putting Indian enterprises at elevated, immediate risk.
- Vulnerable versions: ColdFusion 2023 Update 20 and earlier; ColdFusion 2025 Update 9 and earlier; Campaign Classic v7 build 9396 and earlier.
- Fixes: ColdFusion 2023 Update 21, ColdFusion 2025 Update 10, Campaign Classic v7 build 9397.
- All six ColdFusion CVEs require no authentication and no user interaction — network-accessible ColdFusion instances are directly reachable from the internet.
- Adobe is moving to twice-monthly security bulletins from 14 July 2026, citing AI-assisted vulnerability discovery.
What Adobe Disclosed — And Why It Is Exceptional
Adobe’s July 2026 security update covers nine distinct vulnerabilities across two products. The sheer density of CVSS 10.0 scores in a single bulletin is unusual even by enterprise-software standards. For context, a CVSS 10.0 score requires maximum severity across attack vector (network), complexity (low), privilege requirements (none), user interaction (none), scope (changed), and impact (full confidentiality, integrity, and availability loss). Every one of these ColdFusion flaws clears that bar.
Adobe confirmed that ColdFusion was audited using AI-assisted vulnerability scanning — a technique that compresses the discovery timeline dramatically, which is exactly why the company is doubling its bulletin cadence to the second and fourth Tuesday of each month from 14 July 2026 onward. In other words: expect more patches, more frequently.
Technical Breakdown: Nine CVEs You Need to Know
| CVE ID | CVSS | Vulnerability Type | Impact | Status |
|---|---|---|---|---|
| CVE-2026-48276 | 10.0 | Unrestricted file upload | Remote code execution | Patched |
| CVE-2026-48277 | 10.0 | Improper input validation | Remote code execution | Patched |
| CVE-2026-48281 | 10.0 | Improper input validation | Remote code execution | Patched |
| CVE-2026-48282 | 10.0 | Path traversal / arbitrary file write | Remote code execution | ⚠ Exploited |
| CVE-2026-48283 | 10.0 | Unrestricted file upload | Remote code execution | Patched |
| CVE-2026-48316 | 10.0 | Improper input validation | Remote code execution | Patched |
| CVE-2026-48286 | 10.0 | Incorrect authorization (Campaign Classic) | Arbitrary code execution | Patched |
| CVE-2026-48313 | 9.3 | Path traversal | Arbitrary file system read | Patched |
| CVE-2026-48315 | 9.3 | Improper input validation | Privilege escalation | Patched |
CVE-2026-48282: The One Already Being Exploited
Of all nine CVEs, CVE-2026-48282 is the most immediately dangerous. It is a path traversal vulnerability that escalates to arbitrary file write — meaning an attacker can traverse outside the ColdFusion web root, write arbitrary content to any path the ColdFusion process can reach, and deliver a webshell or malicious configuration that grants full operating system access. No authentication. No user interaction. One HTTP request is enough.
According to The Hacker News, researchers detected exploitation attempts targeting CVE-2026-48282 within hours of Adobe’s public disclosure on 1 July 2026. Critically, the initial confirmed exploitation attempt originated from an IP address geolocated to India. The attacker’s payload attempted to read system files using path traversal sequences — a common first step to enumerate server internals before escalating to webshell deployment. This is not theoretical. It is happening.
BleepingComputer confirmed the same exploitation timeline, noting that the affected ColdFusion instances being targeted are those exposed directly to the internet — a common deployment pattern in Indian IT environments where ColdFusion hosts internal HR portals, ERP front-ends, and legacy web applications.
The two vulnerability classes in this bulletin deserve particular attention:
- Unrestricted file upload (CVE-2026-48276, CVE-2026-48283): ColdFusion fails to validate the type, name, or content of uploaded files in certain code paths. An attacker submits a CFM or executable file disguised as an innocuous upload — the server stores it, the attacker browses to it, and executes arbitrary server-side code.
- Path traversal to file write (CVE-2026-48282): ColdFusion’s file-handling routines improperly sanitise directory separators (e.g.,
../sequences), allowing writes to locations outside the intended directory. Combined with ColdFusion’s native template execution, this is a direct path to a webshell — one that survives reboots and is difficult to detect post-compromise without file integrity monitoring.
Adobe Campaign Classic: On-Premise Deployments at Risk
CVE-2026-48286 (CVSS 10.0) affects Adobe Campaign Classic v7, build 9396 and earlier — specifically on-premise Windows and Linux deployments. Adobe’s cloud-hosted Campaign Classic instances were silently patched before the disclosure, so if your organisation self-hosts Campaign Classic for email marketing or transactional messaging, you are currently running a system with a max-severity remote code execution vulnerability. The fix is Campaign Classic v7 build 9397, available now from Adobe’s distribution channel.
Campaign Classic is widely deployed in Indian retail, banking, and insurance sectors for marketing automation. If your NOC or SOC does not currently have visibility into Campaign Classic upgrade status, this is the week to fix that gap.
What You Should Do Right Now — Sanjay’s Expert Checklist
Having worked with enterprise security architecture and NOC/SOC operations across Indian enterprises for over three decades, I have seen how quickly exploit code spreads after a high-profile disclosure. With CVE-2026-48282 already confirmed in the wild, the patch window here is measured in hours — not days.
- Inventory immediately. Run a query across your asset management and CMDB for any instance of Adobe ColdFusion or Campaign Classic v7. Include test/staging environments — attackers do not distinguish between prod and dev when scanning for file upload endpoints.
- Patch ColdFusion now. Upgrade to ColdFusion 2023 Update 21 or ColdFusion 2025 Update 10. Download directly from Adobe’s official ColdFusion security advisory. If you cannot patch immediately, take the server offline or restrict access to trusted IP ranges via your perimeter firewall or WAF rules.
- Patch Campaign Classic. Move on-premise Campaign Classic deployments to v7 build 9397 immediately.
- Enable Adobe’s lockdown configuration. Adobe publishes a ColdFusion Lockdown Guide for each major version. With CVE-2026-48276 and CVE-2026-48283 (unrestricted file uploads), ensure the ColdFusion Administrator’s file upload paths are explicitly allowlisted and that the
cffiletag is restricted to authorised template locations. - Check for indicators of compromise. Even if you patch immediately, if your ColdFusion server was internet-accessible between 1 July and today (7 July 2026), treat it as potentially compromised. Look for: new CFM files in web-accessible directories, unexpected processes spawned by the ColdFusion service account, new scheduled tasks or cron jobs, and outbound connections from the server to unfamiliar IP addresses.
- Review web application firewall rules. If you have a WAF (FortiWeb, F5, Imperva, or similar), push signatures for path traversal payloads (
../,%2e%2e%2f,..%5csequences) and block direct access to ColdFusion administrator interfaces (/CFIDE/administrator/) from public IP ranges. - Notify your CISO and board. The India-origin exploitation attempt underlines that threat actors are actively scanning Indian IP blocks for ColdFusion instances. This is a board-level risk event given the combination of active exploitation, CVSS 10.0, and no-auth access requirement.
If you are an MSP or MSSP running ColdFusion on behalf of clients, apply these patches to every managed instance and document your remediation timestamps. With AI-assisted scanning now in attackers’ arsenals, the gap between patch release and mass exploitation continues to shrink — as this week has demonstrated again.
The broader pattern here is worth noting. This is the second major enterprise web-application disclosure in a week that has seen active exploitation within 24–48 hours of public disclosure. We covered the Oracle PeopleSoft ShinyHunters incident last week, and the SAP NetWeaver SAML bypass affecting Indian enterprises two weeks before that. The velocity of exploitation is accelerating. Your patch SLAs need to reflect that reality.
Frequently Asked Questions
Is ColdFusion still widely deployed in India in 2026?
More than most security teams realise. ColdFusion powers a significant portion of India’s legacy banking portals, government e-services, and enterprise HR systems that were built in the 2000s and have been maintained rather than rebuilt. Many of these instances have not been actively patched because they are considered “stable” — a dangerous posture when a CVSS 10.0 flaw is now being actively exploited.
My ColdFusion server is behind a load balancer — am I still at risk?
Yes, unless that load balancer or WAF actively blocks path traversal payloads and restricts file upload endpoints. A load balancer that simply distributes traffic does not strip or inspect HTTP payloads. Only a properly configured application-layer control — WAF rules, ColdFusion-specific intrusion prevention signatures — reduces exposure. Network segmentation helps but does not eliminate risk if any internal host can reach the ColdFusion service.
What is the risk from CVE-2026-48286 (Campaign Classic)?
Very high for on-premise deployments. Campaign Classic often has privileged access to marketing databases and customer PII. A full compromise of a Campaign Classic server can expose customer data, allow attackers to send phishing emails from your authenticated mail infrastructure, and serve as a pivot into your internal network. Adobe’s cloud-hosted instances are already patched; only self-hosted deployments running build 9396 or earlier are vulnerable.
How quickly should I expect public exploit code for the other six CVEs?
Based on the exploitation of CVE-2026-48282 within hours of disclosure, assume that working exploit code for the unrestricted file upload CVEs (CVE-2026-48276, CVE-2026-48283) is being developed or has already been shared in closed threat-actor communities right now. Publicly available proof-of-concept code typically appears on exploit-db or GitHub within days of a CVSS 10.0 disclosure of this nature. Treat the entire set of nine CVEs with equal urgency.
Adobe’s July 2026 ColdFusion bulletin is a five-alarm event. Seven CVSS 10.0 scores, confirmed in-the-wild exploitation of CVE-2026-48282 (with an India-origin attacker already confirmed), and six additional zero-auth RCE vectors waiting for the next scanner sweep. There is no safer version of “wait and see” here. Patch now, hunt for compromise indicators, and lock down your ColdFusion attack surface.
For authoritative source material, see the Adobe ColdFusion Security Bulletin, the Adobe Campaign Classic Advisory (APSB26-53), and the full Vulert CVE tracking page for ongoing exploitation intelligence.
Is your ColdFusion or enterprise web stack patched and hardened?
With active exploitation already underway and six more CVSS 10.0 attack vectors waiting for the next automated scanner, now is the time to get a professional eye on your perimeter. Sanjay Seth’s team provides rapid vulnerability assessments, WAF tuning, and zero-trust architecture reviews tailored to Indian enterprises.