CISA adds Adobe ColdFusion CVE-2026-48282 to KEV with a July 10 patch deadline

Help Net Security article image for CVE-2026-48282 coverage.Help Net Security
Help Net Security article image for CVE-2026-48282 coverage.Help Net Security
Tools & Apps

CISA has marked Adobe ColdFusion CVE-2026-48282 as actively exploited, giving U.S. federal civilian agencies until July 10, 2026, to apply vendor mitigations.

CISA has added Adobe ColdFusion CVE-2026-48282 to its Known Exploited Vulnerabilities catalog. Confidence level: confirmed. NVD lists the flaw as a CVSS 10.0 ColdFusion path traversal issue, and the KEV entry gives U.S. federal civilian agencies a July 10, 2026 deadline to apply vendor mitigations.

Help Net Security article image for CVE-2026-48282 coverage.
Help Net Security article image for CVE-2026-48282 coverage.

Image source: Help Net Security.

What changed

CVE-2026-48282 affects Adobe ColdFusion 2025.9, ColdFusion 2023.20, and earlier versions. NVD describes it as a path traversal vulnerability that can lead to arbitrary code execution in the context of the current user and does not require user interaction.

CISA's KEV data marks exploitation as active and sets July 10, 2026 as the federal remediation deadline. Adobe's linked vendor bulletin is the patch source to verify fixed versions and installation steps before touching production systems.

Key takeaways

  • CVE-2026-48282 is listed by NVD with a CVSS 3.1 base score of 10.0.
  • The issue affects ColdFusion 2025.9, ColdFusion 2023.20, and earlier releases.
  • CISA added the flaw to KEV on July 7, 2026, based on active exploitation.
  • The federal due date shown in the KEV data is July 10, 2026.
  • Internet-facing ColdFusion servers should be patched, checked for RDS exposure, and reviewed for compromise indicators.
CheckWhat to doWhy it matters
VersionConfirm whether ColdFusion is at or below 2025.9 or 2023.20Those versions are listed as affected
ExposureIdentify internet-facing ColdFusion servicesExploited edge systems carry the highest operational risk
RDSCheck whether Remote Development Services is enabled and how it is protectedIndependent reporting ties exploitation conditions to RDS exposure
PatchApply Adobe's fixed update pathCISA points agencies to vendor mitigations
HuntReview web roots, /CFIDE/, new files, and unusual requestsExploitation may involve file write or execution paths

Availability and access

This is a patch-and-triage item, not a product rollout. Admins should use Adobe's bulletin for the official update path, then confirm the installed ColdFusion build and restart requirements in their own environment.

U.S. federal civilian executive branch agencies have a KEV deadline of July 10, 2026. Private-sector teams are not bound by that directive, but KEV status is a strong prioritization signal because it means CISA has evidence of active exploitation.

Why it matters

ColdFusion remains present in enterprise web stacks, often behind old admin paths, internal applications, and exposed legacy services. A CVSS 10.0 vulnerability with active exploitation does not belong in a normal monthly patch queue.

For LinkLoot readers running mixed infrastructure, the practical move is simple: turn the KEV entry into a short incident task. Find ColdFusion, confirm version, patch or isolate, check RDS, review logs, and document whether the server was reachable from the internet. Teams that automate this kind of follow-up can adapt the checks in our AI workflow automation guide for ticket creation and evidence collection.

What to verify before you act

  • Confirm the affected ColdFusion version and exact Adobe fixed update for your branch.
  • Check whether the system exposes ColdFusion or /CFIDE/ paths to the internet.
  • Verify whether RDS is enabled, whether authentication protects it, and whether it is needed.
  • Review logs and filesystem changes from June 30, 2026 onward.
  • Recheck CISA KEV and Adobe's bulletin for updates before closing the incident.

Source check

Confirmed by:

  • NVD lists CVE-2026-48282, Adobe as source, affected ColdFusion versions, CVSS 10.0, and the CISA KEV relationship.
  • CISA's KEV reference in NVD shows active exploitation and a July 10, 2026 due date.
  • Adobe's bulletin is the vendor advisory linked from NVD for mitigation details.

Independent context:

  • Help Net Security reports exploitation activity, summarizes the ColdFusion RDS angle, and notes that admins should upgrade to the fixed ColdFusion 2025 and 2023 updates.
FAQ

CVE-2026-48282 is an Adobe ColdFusion path traversal vulnerability that NVD says can lead to arbitrary code execution without user interaction.