Adobe has released security updates for multiple critical vulnerabilities affecting Adobe ColdFusion and Adobe Campaign Classic, including several flaws rated CVSS 10.0.
CVE-2026-48282, a critical ColdFusion path traversal vulnerability, has already seen exploitation activity shortly after disclosure.
Key Details
Affected products
- Adobe ColdFusion 2025 Update 9 and earlier
- Adobe ColdFusion 2023 Update 20 and earlier
- Adobe Campaign Classic ACC v7 7.4.3 build 9396 and earlier on Windows and Linux
Fixed versions
- Adobe ColdFusion 2025 Update 10
- Adobe ColdFusion 2023 Update 21
- Adobe Campaign Classic ACC v7 7.4.3 build 9397
Exploitation status
- Adobe stated at publication that it was not aware of exploitation in the wild.
- After disclosure, exploitation of CVE-2026-48282 was reported.
- Public technical analysis has increased the likelihood of rapid weaponization.
Vulnerabilities Patched
Adobe’s ColdFusion update addresses multiple critical and important vulnerabilities, including:
| CVE | Vulnerability Type | Impact | CVSS |
| CVE-2026-48276 | Unrestricted upload of file with dangerous type | Arbitrary code execution | 10.0 |
| CVE-2026-48277 | Improper input validation | Arbitrary code execution | 10.0 |
| CVE-2026-48281 | Improper input validation | Arbitrary code execution | 10.0 |
| CVE-2026-48316 | Improper input validation | Arbitrary code execution | 10.0 |
| CVE-2026-48282 | Path traversal | Arbitrary code execution | 10.0 |
| CVE-2026-48283 | Unrestricted upload of file with dangerous type | Arbitrary code execution | 10.0 |
| CVE-2026-48313 | Path traversal | Arbitrary file system read | 9.3 |
| CVE-2026-48315 | Improper input validation | Privilege escalation | 9.3 |
| CVE-2026-48307 | Reflected cross-site scripting | Arbitrary code execution | 8.8 |
| CVE-2026-48285 | Server-side request forgery | Security feature bypass | 8.6 |
| CVE-2026-48314 | Path traversal | Privilege escalation | 6.5 |
Technical Analysis
The most immediately concerning issue is CVE-2026-48282, a ColdFusion path traversal vulnerability that can lead to arbitrary code execution without user interaction. NVD lists the issue as network-exploitable, low-complexity, requiring no privileges and no user interaction, with a CVSS 3.1 score of 10.0.
CVE-2026-48282 is tied to arbitrary file write behavior in ColdFusion’s RDS-related file handling, while CVE-2026-48313 aligns with arbitrary file read behavior. The underlying issue affected file operations such as read, write, rename, delete, directory creation, and directory listing before Adobe added stronger canonical path validation.
This is important because arbitrary file read can expose configuration files, credentials, application secrets, database connection strings, or system information. Arbitrary file write is more severe because it can potentially allow attackers to place malicious files in web-accessible directories, leading to remote code execution.
CVE-2026-48276 is a file upload path traversal issue in the CKEditor file manager functionality. File uploads are disabled by default, but if enabled, the upload endpoint may be reachable without authentication and could allow attackers to write files outside the intended directory scope.
Threat Assessment
ColdFusion vulnerabilities have historically been attractive to attackers because affected systems are often internet-facing and connected to business-critical applications. The presence of multiple unauthenticated, low-complexity RCE-class vulnerabilities significantly increases the risk of opportunistic scanning, proof-of-concept adaptation, web shell deployment, credential theft, and ransomware staging.
The risk is especially high for organizations that expose ColdFusion administrative, CFIDE, RDS, or file manager functionality to the internet. Even where vulnerable features are not enabled by default, defenders should verify configuration state rather than assume they are safe.
The broader timing is also notable. Adobe announced that it is moving from monthly to twice-monthly security bulletins starting July 14, 2026, citing AI-accelerated vulnerability discovery and the shrinking window between disclosure and exploitation. In this case, exploitation reporting emerged within days of disclosure, reinforcing the need for faster validation and patch deployment.
Recommended Actions
Organizations should immediately identify all Adobe ColdFusion and Adobe Campaign Classic deployments and confirm whether they are running affected versions.
For Adobe ColdFusion:
- Upgrade ColdFusion 2025 to Update 10.
- Upgrade ColdFusion 2023 to Update 21.
- Review whether RDS is enabled and disable it unless explicitly required.
- Restrict access to ColdFusion administrative and developer interfaces.
- Review exposure of /CFIDE/ and ColdFusion script directories from the internet.
- Validate that file upload and file manager functionality is disabled unless there is a documented business requirement.
- Apply Adobe’s ColdFusion lockdown guidance and review security configuration settings.
For Adobe Campaign Classic:
- Upgrade on-premise ACC v7 deployments to 7.4.3 build 9397.
- Confirm whether any hybrid deployment includes on-premise Campaign Classic components.
- No action is required for Adobe-hosted Campaign Classic instances, according to Adobe.
Detection and hunting teams should review web server, reverse proxy, WAF, and application logs for:
- Requests to ColdFusion RDS or CFIDE endpoints from unknown external IPs
- Suspicious ACTION=FILEIO activity
- Attempts to reference sensitive local files such as Windows configuration files
- Unexpected file writes into ColdFusion webroot directories
- Suspicious requests to CKEditor file manager upload or directory listing functionality
- Newly created .cfm, .jsp, .war, or other executable web-accessible files
- Unusual child processes spawned by ColdFusion or Java application server processes
Indicators of Compromise
| Type | Indicator | Context |
| IP address | 103.207.14[.]220 | Reported source of exploitation attempt against CVE-2026-48282 |
| URL path | /CFIDE/main/ide.cfm | RDS-related ColdFusion endpoint to review for suspicious activity |
| Query pattern | ACTION=FILEIO | Suspicious when seen from untrusted sources |
| URL path | /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm | File upload functionality associated with CVE-2026-48276 analysis |
| URL path | /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/filemanager.cfc | File manager functionality to review for traversal and listing attempts |
Stay Safe. Stay Secure.
OP Innovate Research Team



