By Jordan Polasek · July 9, 2026

There is a particular sting to this kind of flaw: it lives in the software that runs your public-facing web applications — the forms, portals, and internal tools your team touches every day — and it took attackers about two hours to start breaking in. That is not a typo. Within roughly two hours of the details going public, real attackers were already using this Adobe ColdFusion flaw against real servers.

## ⚡ The 60-Second Version

>

- What: A maximum-severity flaw in Adobe ColdFusion (CVE-2026-48282) — a "path traversal" bug that lets an attacker with no login and no password run their own code on your server. It is rated at the very top of the severity scale, and it is already being exploited in the wild.
- Fix: Apply Adobe's update immediately. It affects ColdFusion 2025.9, 2023.20, and all earlier versions. Adobe patched it and urged customers to install "within 72 hours." If you can't patch today, take the server off the public internet until you can.
- By when: Now. CISA added it to its Known Exploited Vulnerabilities list on July 7, 2026 and ordered federal agencies to patch by Friday, July 10. Attackers began exploiting it within two hours of disclosure — the clock has already run out.

What actually broke

ColdFusion is a platform businesses use to build web applications quickly — customer portals, quote tools, inventory lookups, membership sites, that sort of thing. A lot of it is quiet, older software running in the background of a company that set it up years ago and hasn't thought much about it since. That is exactly the kind of system attackers love.

The flaw, CVE-2026-48282, is what's called a path traversal vulnerability. In plain terms: the software is supposed to only let you reach files inside its own little sandbox, but this bug lets an attacker "walk" out of that sandbox and reach places they should never be able to touch. Chained together, that gives them the ability to run their own commands on your server — a full takeover — without ever needing a username or password. Security folks describe it as a low-complexity, unauthenticated attack, which is the worst combination there is: easy to pull off, and nothing standing in the way.

It was one of six maximum-severity flaws Adobe fixed in ColdFusion at the end of June. This is the one attackers ran with.

Why "patched" doesn't mean "safe" yet

Here's the part that trips up a lot of business owners. Adobe released the fix, so the story should be over — right?

It isn't, for two reasons.

First, a patch only protects you once you actually install it. The security firm Shadowserver has been tracking roughly 800 ColdFusion servers exposed directly to the internet, and every one that hasn't been updated is still an open door. Publishing a fix doesn't close that door; applying it does.

Second — and this is the uncomfortable one — attackers started exploiting this flaw within about two hours of the technical details becoming public, with early attacks traced to an overseas IP address. If your ColdFusion server was reachable from the internet during that window and hasn't been patched, the honest question isn't only "am I still vulnerable?" It's also "did someone already get in?" That's why a fast patch has to come with a look for signs of a break-in, not just a version-number check.

Who should be paying attention

You don't run ColdFusion yourself, and you may not even know if you do. That's the catch. This tends to show up in:

If any of that sounds familiar, treat it as a "check today" item, not a "get to it next month" item.

What this means for your business

You don't need to be a ColdFusion expert to do the right thing this week. In order:

How BVTech helps

If you're a BVTech managed client, this one is already handled. We keep an inventory of the software running in your environment — including the quiet, older systems that tend to get forgotten — so when a flaw like CVE-2026-48282 lands on CISA's exploited list, we already know whether it touches you, and we patch or isolate it fast. That's the whole point of managed IT: you shouldn't have to hear about a ColdFusion emergency on the news and wonder if it's your problem.

If you're not a client and you genuinely don't know whether you're exposed, that uncertainty is worth resolving. We can help you find out what's running, check whether it's been touched, and lock it down. You can book a quick call, or start with our free Security Scoreboard to see how your internet-facing footprint looks from the outside. Either way, don't let a server nobody's watching be the thing that gets you.

Stay safe out there — and go ask that one question today.

— Jordan Polasek · Founder, BVTech LLC