Adobe ColdFusion flaw now under attack, Canada's cyber agency warns

A critical bug in Adobe's web platform is being exploited days after patches shipped. Roughly 800 servers sit exposed online.

ThreatVectr Newsdesk· 3 min read
Full-frame photoreal editorial image of a dimly lit server rack in a corporate data centre, one server bay glowing with a warning-red status LED while others sh
Share

Key points

  • The Canadian Centre for Cyber Security warned on Thursday that hackers are actively exploiting a critical Adobe ColdFusion flaw tracked as CVE-2026-48282.
  • Adobe released a fix on Tuesday and urged administrators to patch within 72 hours.
  • The bug lets an attacker run their own code on a vulnerable server without needing a password or any user action.
  • Internet scanning group Shadowserver counts close to 800 ColdFusion servers reachable from the public internet.
  • Since November 2021, US authorities have added 79 Adobe product flaws to their catalogue of bugs known to be exploited by criminals.

Hackers are already breaking into servers running Adobe ColdFusion, and Canada's national cyber agency is telling defenders to patch now.

ColdFusion is a commercial tool that companies use to build business websites and web applications. The flaw, tracked as CVE-2026-48282, affects ColdFusion versions 2025.9, 2023.20, and earlier releases. In plain terms, it lets an attacker send a booby-trapped request to a vulnerable server and take control of it, no login required.

Adobe shipped a patch on Tuesday. Two days later, the Canadian Centre for Cyber Security, the government body that coordinates Canada's response to major cyber incidents, said attacks were already underway and pushed administrators to update.

"Open-source reporting indicates that CVE-2026-48282 is being exploited," the agency said in its advisory.

Adobe had flagged the bug as high risk from the start. Its own security bulletin told customers to install the update "as soon as possible (for example, within 72 hours)." That is the language Adobe reserves for flaws it expects criminals to jump on quickly.

Who is actually exploiting it?

Nobody has named a group yet. The Canadian advisory points only to "open-source reporting," and there is no public attribution to a known cluster such as the ransomware crews or state-linked operators that have historically feasted on ColdFusion bugs. That matters. ColdFusion flaws have a long history of being picked up by both criminal ransomware affiliates and Chinese and Iranian espionage groups within days of disclosure, so capability here is broad even if intent, from this specific wave, is unclear.

Treat this as medium confidence at best on who is behind it, and high confidence that exploitation is real.

How exposed are companies right now?

Shadowserver, a non-profit that scans the internet for exposed systems, currently sees close to 800 ColdFusion servers reachable from the open web. Some of those will be honeypots (decoy systems set up by researchers), and some will already be patched. The rest are the problem.

Any organisation running ColdFusion should assume its server is on someone's target list today.

What should ordinary people do?

Most readers will not run ColdFusion themselves. But plenty of the websites they use, from local government portals to small business booking systems, are built on it. If you get an email in the coming weeks saying a service you use has had a data breach, take it seriously: change the password, and turn on two-factor authentication, which is the extra code sent to your phone when you log in.

This is the second painful month for Adobe customers. In early April, the company pushed emergency fixes for an Acrobat Reader bug, CVE-2026-34621, that had been quietly exploited as a zero-day, meaning a flaw the vendor did not know about, for roughly four months. Last week Adobe also patched six other maximum-severity bugs across ColdFusion and its Campaign Classic marketing product, though it says none of those are being attacked yet.

As BleepingComputer noted, the US Cybersecurity and Infrastructure Security Agency has added 79 Adobe flaws to its known-exploited list since November 2021. Ten of those have shown up in ransomware attacks, where criminals lock a company's files and demand payment to unlock them.

ColdFusion, in other words, is a repeat target. The 72-hour clock Adobe suggested is already up.

© 2026 Threat Vectr