Open Nav
Sign Up

Adobe Patches Multiple Critical ColdFusion and Campaign Classic Vulnerabilities: CVE-2026-48282 Exploitation Observed

adobe_coldfusion_campaign classic_cve-2026-48282

Filip Dimitrov

July 6, 2026

Adobe has released security updates for multiple critical vulnerabilities affecting Adobe ColdFusion and Adobe Campaign Classic, including several flaws rated CVSS 10.0.

CVE-2026-48282, a critical ColdFusion path traversal vulnerability, has already seen exploitation activity shortly after disclosure. 

Key Details

Affected products

  • Adobe ColdFusion 2025 Update 9 and earlier
  • Adobe ColdFusion 2023 Update 20 and earlier
  • Adobe Campaign Classic ACC v7 7.4.3 build 9396 and earlier on Windows and Linux

Fixed versions

  • Adobe ColdFusion 2025 Update 10
  • Adobe ColdFusion 2023 Update 21
  • Adobe Campaign Classic ACC v7 7.4.3 build 9397

Exploitation status

  • Adobe stated at publication that it was not aware of exploitation in the wild.
  • After disclosure, exploitation of CVE-2026-48282 was reported.
  • Public technical analysis has increased the likelihood of rapid weaponization.

Vulnerabilities Patched

Adobe’s ColdFusion update addresses multiple critical and important vulnerabilities, including:

CVEVulnerability TypeImpactCVSS
CVE-2026-48276Unrestricted upload of file with dangerous typeArbitrary code execution10.0
CVE-2026-48277Improper input validationArbitrary code execution10.0
CVE-2026-48281Improper input validationArbitrary code execution10.0
CVE-2026-48316Improper input validationArbitrary code execution10.0
CVE-2026-48282Path traversalArbitrary code execution10.0
CVE-2026-48283Unrestricted upload of file with dangerous typeArbitrary code execution10.0
CVE-2026-48313Path traversalArbitrary file system read9.3
CVE-2026-48315Improper input validationPrivilege escalation9.3
CVE-2026-48307Reflected cross-site scriptingArbitrary code execution8.8
CVE-2026-48285Server-side request forgerySecurity feature bypass8.6
CVE-2026-48314Path traversalPrivilege escalation6.5

Technical Analysis

The most immediately concerning issue is CVE-2026-48282, a ColdFusion path traversal vulnerability that can lead to arbitrary code execution without user interaction. NVD lists the issue as network-exploitable, low-complexity, requiring no privileges and no user interaction, with a CVSS 3.1 score of 10.0.

CVE-2026-48282 is tied to arbitrary file write behavior in ColdFusion’s RDS-related file handling, while CVE-2026-48313 aligns with arbitrary file read behavior. The underlying issue affected file operations such as read, write, rename, delete, directory creation, and directory listing before Adobe added stronger canonical path validation.

This is important because arbitrary file read can expose configuration files, credentials, application secrets, database connection strings, or system information. Arbitrary file write is more severe because it can potentially allow attackers to place malicious files in web-accessible directories, leading to remote code execution.

CVE-2026-48276 is a file upload path traversal issue in the CKEditor file manager functionality. File uploads are disabled by default, but if enabled, the upload endpoint may be reachable without authentication and could allow attackers to write files outside the intended directory scope.

Threat Assessment

ColdFusion vulnerabilities have historically been attractive to attackers because affected systems are often internet-facing and connected to business-critical applications. The presence of multiple unauthenticated, low-complexity RCE-class vulnerabilities significantly increases the risk of opportunistic scanning, proof-of-concept adaptation, web shell deployment, credential theft, and ransomware staging.

The risk is especially high for organizations that expose ColdFusion administrative, CFIDE, RDS, or file manager functionality to the internet. Even where vulnerable features are not enabled by default, defenders should verify configuration state rather than assume they are safe.

The broader timing is also notable. Adobe announced that it is moving from monthly to twice-monthly security bulletins starting July 14, 2026, citing AI-accelerated vulnerability discovery and the shrinking window between disclosure and exploitation. In this case, exploitation reporting emerged within days of disclosure, reinforcing the need for faster validation and patch deployment.

Recommended Actions

Organizations should immediately identify all Adobe ColdFusion and Adobe Campaign Classic deployments and confirm whether they are running affected versions.

For Adobe ColdFusion:

  • Upgrade ColdFusion 2025 to Update 10.
  • Upgrade ColdFusion 2023 to Update 21.
  • Review whether RDS is enabled and disable it unless explicitly required.
  • Restrict access to ColdFusion administrative and developer interfaces.
  • Review exposure of /CFIDE/ and ColdFusion script directories from the internet.
  • Validate that file upload and file manager functionality is disabled unless there is a documented business requirement.
  • Apply Adobe’s ColdFusion lockdown guidance and review security configuration settings.

For Adobe Campaign Classic:

  • Upgrade on-premise ACC v7 deployments to 7.4.3 build 9397.
  • Confirm whether any hybrid deployment includes on-premise Campaign Classic components.
  • No action is required for Adobe-hosted Campaign Classic instances, according to Adobe.

Detection and hunting teams should review web server, reverse proxy, WAF, and application logs for:

  • Requests to ColdFusion RDS or CFIDE endpoints from unknown external IPs
  • Suspicious ACTION=FILEIO activity
  • Attempts to reference sensitive local files such as Windows configuration files
  • Unexpected file writes into ColdFusion webroot directories
  • Suspicious requests to CKEditor file manager upload or directory listing functionality
  • Newly created .cfm, .jsp, .war, or other executable web-accessible files
  • Unusual child processes spawned by ColdFusion or Java application server processes

Indicators of Compromise

TypeIndicatorContext
IP address103.207.14[.]220Reported source of exploitation attempt against CVE-2026-48282
URL path/CFIDE/main/ide.cfmRDS-related ColdFusion endpoint to review for suspicious activity
Query patternACTION=FILEIOSuspicious when seen from untrusted sources
URL path/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfmFile upload functionality associated with CVE-2026-48276 analysis
URL path/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/filemanager.cfcFile manager functionality to review for traversal and listing attempts


Stay Safe. Stay Secure.
OP Innovate Research Team

Under Cyber Attack?

Fill out the form and we will contact you immediately.