
Adobe issued an emergency security bulletin on June 30 covering 11 ColdFusion vulnerabilities. Seven carry a CVSS score of 10.0 — the maximum on the scale. One of them was being exploited in the wild within 24 hours of disclosure. If you run ColdFusion, you are already behind.
What APSB26-68 Covers
Adobe’s security bulletin APSB26-68 covers 11 vulnerabilities across ColdFusion 2023 and ColdFusion 2025, with one additional critical flaw in Campaign Classic v7. Adobe assigned it Priority Rating 1 — reserved for vulnerabilities that are either already being targeted or pose an extreme exploitation risk.
Affected versions: ColdFusion 2025 Update 9 and earlier, ColdFusion 2023 Update 20 and earlier. The fixes are ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21, both available now.
Seven CVSS 10.0 Flaws — No Authentication Required
Six of the eleven ColdFusion flaws hit CVSS 10.0. One additional Campaign Classic flaw does too. CVSS 10.0 means maximum severity — in this case, remote code execution with no credentials and no user interaction required. An attacker with network access to your server is the only prerequisite.
- Unrestricted file upload (CVE-2026-48276, CVE-2026-48283): Unauthenticated attackers can upload and execute arbitrary files on the server.
- Improper input validation (CVE-2026-48277, CVE-2026-48281, CVE-2026-48316): Three separate input validation flaws, all enabling RCE without authentication.
- Path traversal (CVE-2026-48282): Arbitrary file write — and the one already being used in attacks.
CVE-2026-48282 Is Already Being Exploited
CVE-2026-48282 is the one you need to care about right now. NHS England Digital issued cyber alert CC-4808 confirming active exploitation of this path traversal flaw within hours of Adobe’s bulletin going public. The first recorded attempt tried to read C:\Windows\win.ini — a classic probe to confirm file system access before escalating to code execution.
The watchTowr Labs analysis found the patches quietly close off more than the CVE implies: the same fix also eliminates arbitrary file move, file delete, directory creation, and directory listing attack paths. One CVE ID, several attack surfaces patched simultaneously.
The File Upload Flaw Is Especially Dangerous
CVE-2026-48276 is an unauthenticated file upload vulnerability. The upload endpoint requires no login. An attacker sends a crafted request with a path traversal payload in the path parameter, and the file lands on disk running as NT AUTHORITY\SYSTEM — the highest privilege level on Windows. Adobe’s patch blocks file extensions like .jspf, .cfmail, and .war that can execute server-side code.
If your ColdFusion instance has file upload enabled and is internet-facing, treat this as an active incident risk until you patch.
ColdFusion’s Track Record Makes This Non-Optional
This is not a theoretical concern. Adobe ColdFusion has a documented pattern of post-patch exploitation that makes delayed response especially dangerous:
- CVE-2024-20767, patched in March 2024, was under active exploitation by December 2024.
- On Christmas Day 2025, attackers deliberately timed a 2.5 million-request campaign against ColdFusion servers — 68% of the traffic hitting on a single holiday, targeting reduced-staffing windows.
- Over five years, CISA has added 79 Adobe product vulnerabilities to its Known Exploited Vulnerabilities catalog. Ten have been directly linked to ransomware deployments.
ColdFusion servers are attractive targets precisely because they tend to run in government agencies, healthcare providers, financial institutions, and universities — organizations with high-value data and complex, expensive-to-migrate legacy codebases. Ransomware operators understand that equation.
What to Do Right Now
- Patch immediately. Apply ColdFusion 2023 Update 21 or ColdFusion 2025 Update 10. Campaign Classic users: update to v7.4.3 build 9397.
- Block admin pages at the perimeter if you cannot patch right now. ColdFusion Administrator should never be internet-exposed — enforce this as an emergency measure.
- Enforce MFA on all ColdFusion administrator accounts.
- Audit file upload endpoints. Restrict allowed extensions at both the application and server level. The patch helps, but defense-in-depth matters here.
- Hunt for indicators of compromise. Look for unexpected files in the ColdFusion web root, unusual outbound connections from the ColdFusion host, and new or modified
.cfmor.jspfiles in web-accessible directories.
Adobe’s official bulletin and Pete Freitag’s ColdFusion security tracking are worth bookmarking for ongoing patch monitoring. If your organization is still on an unsupported ColdFusion version, this bulletin is the business case you bring to the budget meeting.
For the full technical breakdown of what each fix actually closes off, the Bleeping Computer coverage and the watchTowr Labs post are the most thorough reads available.













