Zero-Day Exploits Target Adobe ColdFusion Vulnerability Immediately After Disclosure
A critical remote code execution vulnerability in **Adobe ColdFusion**, **CVE-2026-48282**, is being actively exploited in the wild, mere hours after its public disclosure and patch release. Security professionals are urged to prioritize patching to mitigate the immediate threat posed by unprivileged attackers.
Attackers are now actively exploiting a maximum-severity **Adobe ColdFusion** vulnerability, identified as **CVE-2026-48282**. This critical flaw, affecting ColdFusion versions 2025.9, 2023.20, and earlier, allows unprivileged attackers to achieve remote code execution on unpatched systems.
**Adobe** released security updates on Tuesday, urging administrators to deploy patches immediately due to the high risk of exploitation. The company noted, "This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible (for example, within 72 hours)."
### Rapid Exploitation Confirmed
Just two days later, **KEVIntel** founder **Ryan Dewhurst** confirmed that threat actors began exploiting **CVE-2026-48282** within two hours of Adobe's public disclosure. "Within under two hours of CVE-2026-48282 public details being released, KEVIntel captured in-the-wild exploitation within our global honeypot network," Dewhurst stated.
The **Canadian Center for Cyber Security (CCCS)** has also issued an alert, urging defenders to secure their systems. "Open-source reporting indicates that CVE-2026-48282 is being exploited," the CCCS advised. "The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates."
### Widespread Exposure
Internet security watchdog **Shadowserver** currently tracks nearly 800 **Adobe ColdFusion** instances exposed online. However, it remains unclear how many of these are honeypots or have been successfully patched against attacks targeting **CVE-2026-48282**.

Last week, Adobe also released patches for six other maximum-severity flaws in ColdFusion and **Campaign Classic**, all of which are exploitable via low-complexity attacks without user interaction. While these were tagged as high risk, Adobe had not flagged them as actively exploited at the time.
This incident follows an emergency update in early April for an **Acrobat Reader** vulnerability, **CVE-2026-34621**, which had been exploited as a zero-day since December 2025. Since November 2021, the **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** has listed 79 Adobe product vulnerabilities in its catalog of actively exploited flaws, with 10 of these also abused in ransomware attacks.
**Update July 06, 10:24 EDT:** Attribution for the first in-the-wild exploitation report has been updated to **KEVIntel's Ryan Dewhurst**.