TL;DR
what: Adobe ColdFusion's maximum-severity flaw CVE-2026-48282 is being actively exploited for unauthenticated remote code execution just days after the July 1, 2026 patch shipped.
impact: Attackers can run code on unpatched, internet-facing ColdFusion servers with no credentials and no user interaction, giving them a foothold for data theft and lateral movement.
fix: Apply Adobe's July 1, 2026 updates immediately, upgrading past ColdFusion 2025.9 and 2023.20; Adobe recommends deployment within 72 hours.
who: Any organization running an internet-exposed ColdFusion 2025, 2023, or earlier server, with roughly 800 instances currently visible online.










