Adobe ColdFusion servers are once again being targeted after public details emerged for CVE-2026-48282, a maximum-severity path traversal vulnerability that can lead to remote code execution on vulnerable systems.
The flaw affects ColdFusion 2025 Update 9 and earlier, as well as ColdFusion 2023 Update 20 and earlier. Adobe addressed the issue in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21.
According to reported exploitation activity, attackers began probing for the vulnerability shortly after public details were released. Observed activity included unauthenticated attempts to read and write arbitrary files, raising the risk for exposed ColdFusion servers that have not yet been updated.
The vulnerability carries a CVSS score of 10.0, making it a critical issue for organizations running internet-facing ColdFusion instances.
Administrators should apply the latest Adobe ColdFusion updates immediately, review exposed instances, and check logs for suspicious file access, upload, or write activity.