Adobe has released security updates for a critical ColdFusion vulnerability after researchers reported the flaw is being actively exploited in the wild.
Tracked as CVE-2026-48282, the vulnerability carries a CVSS score of 10.0 and affects ColdFusion 2023 Update 20 and earlier, along with ColdFusion 2025 Update 9 and earlier.
Adobe said the path traversal issue could allow arbitrary code to run with the privileges of the current user, with no user interaction required.
The company issued patches through security bulletin APSB26-68 and urged customers to install the latest updates as soon as possible.
The update follows several high-severity enterprise software vulnerability disclosures this year, including Microsoft’s disclosure of six Windows zero-days that were published without patches.
Resecurity Details the Risk
In a technical advisory published on Jul. 6, Resecurity said the flaw affects ColdFusion’s Remote Development Services (RDS), an optional feature designed to support remote development and administration.
While many production environments do not require RDS, the service can remain enabled on internet-facing servers, leaving more systems exposed if deployments are not configured securely.
“Because exploitation requires no authentication, no user interaction, and only a single crafted HTTP request, vulnerable Internet-facing ColdFusion servers are at significant risk of complete compromise,” Resecurity explained.
“Once arbitrary file write is achieved, attackers can execute operating system commands, access sensitive configuration files, obtain application and database credentials, establish persistent access, and potentially pivot to other systems within the internal environment.”
Several government cybersecurity agencies have since issued alerts about the vulnerability.
NHS England’s National Cyber Security Operations Centre, for instance, said researchers had observed exploitation of the vulnerability and assessed that further attacks are “highly likely.”
Adobe urged customers to upgrade to ColdFusion 2023 Update 21 or ColdFusion 2025 Update 10 immediately.
“Adobe addressed this issue by introducing robust path canonicalization, directory boundary enforcement, and input validation within the RDS FILEIO handler,” Resecurity wrote.
Organizations that do not require RDS should disable the feature and implement Adobe’s additional hardening recommendations, including restricting access to administrative interfaces wherever possible.
The disclosure follows a series of high-profile attacks targeting enterprise software, including campaigns abusing ScreenConnect and SimpleHelp software, reinforcing the need to keep internet-facing systems fully up to date.