T

Threats

Adobe ColdFusion Critical Vulnerabilities

Overview

  • CVE: CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48282, CVE-2026-48283, CVE-2026-48313, CVE-2026-48315, CVE-2026-48286

  • Severity: Critical

  • Date: 1 July 2026

Adobe has released an emergency security update addressing 8 critical vulnerabilities in ColdFusion and Adobe Campaign Classic. Six of the vulnerabilities carry the maximum CVSS score of 10.0, enabling unauthenticated remote code execution without user interaction. organisations running ColdFusion 2025.9, 2023.20 or earlier, or Campaign Classic 7.4.3 build 9396 and earlier, are at immediate risk and should patch without delay.

Affected Versions

  • ColdFusion: Versions 2025.9, 2023.20 and earlier

  • Fixed in: ColdFusion 2025 Update 10, ColdFusion 2023 Update 21

  • Adobe Campaign Classic (ACC): Versions 7.4.3 build 9396 and earlier

  • ColdFusion 2021: No longer covered by security fixes and remains at risk

Vulnerability Breakdown

CVE-2026-48276 - Unrestricted File Upload

  • Severity: Critical

  • CVSS: 10.0

  • Description: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user.

  • Impact: Arbitrary code execution on the ColdFusion server under the current user context.

  • Conditions: No user interaction required. Scope is changed.

CVE-2026-48277 - Improper Input Validation

  • Severity: Critical

  • CVSS: 10.0

  • Description: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user.

  • Impact: Arbitrary code execution on the ColdFusion server under the current user context.

  • Conditions: No user interaction required. Scope is changed.

CVE-2026-48281 - Improper Input Validation

  • Severity: Critical

  • CVSS: 10.0

  • Description: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user.

  • Impact: Arbitrary code execution on the ColdFusion server under the current user context.

  • Conditions: No user interaction required. Scope is changed.

CVE-2026-48282 - Path Traversal

  • Severity: Critical

  • CVSS: 10.0

  • Description: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability that could lead to arbitrary code execution in the context of the current user.

  • Impact: Arbitrary code execution on the ColdFusion server under the current user context.

  • Conditions: No user interaction required. Scope is changed.

CVE-2026-48283 - Unrestricted File Upload

  • Severity: Critical

  • CVSS: 10.0

  • Description: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution in the context of the current user.

  • Impact: Arbitrary code execution on the ColdFusion server under the current user context.

  • Conditions: No user interaction required. Scope is changed.

CVE-2026-48313 - Path Traversal

  • Severity: Critical

  • CVSS: 9.3

  • Description: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability that could lead to arbitrary file system read and limited write access. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope.

  • Impact: Arbitrary file system read and limited write access, exposing sensitive files and directories outside the intended access scope.

  • Conditions: No user interaction required. Scope is changed.

CVE-2026-48286 - Incorrect Authorization

  • Severity: Critical

  • CVSS: 9.3

  • Description: Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user.

  • Impact: Arbitrary code execution under the current user context within Adobe Campaign Classic.

  • Conditions: No user interaction required. Scope is changed.

CVE-2026-48315 - Improper Input Validation

  • Severity: Critical

  • CVSS: 9.3

  • Description: ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim account or session.

  • Impact: Arbitrary code execution and potential session hijacking through malicious script injection.

  • Conditions: Requires user interaction - a victim must open a malicious file. Scope is changed.

Recommended actions

We recommend the following as a priority:

  • Patch immediately. Update to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21, and update Adobe Campaign Classic if running 7.4.3 build 9396 or earlier. Treat this as the top priority — six flaws carry the maximum CVSS 10.0 score.

  • Test before deploying. Apply updates to a non-production copy first, as ColdFusion updates can occasionally disrupt applications.

  • Retire unsupported versions. ColdFusion 2021 no longer receives security fixes — plan migration off it, and isolate it in the meantime.

  • Harden management exposure. Block external access to the ColdFusion administrator pages (e.g. /CFIDE/administrator) and disable internet exposure of administrative interfaces wherever possible.

  • Deploy firewall/WAF protections. Enable your firewall/WAF rules for this update to reduce the exploitable attack surface until patching is complete.

  • Enforce MFA on all ColdFusion administrative accounts and on any remote or administrative access.

  • Apply least privilege. Run the ColdFusion service under a low-privileged account and restrict file-upload directories so a dropped file cannot be executed.

  • Rotate credentials. Rotate ColdFusion admin passwords and datasource credentials, particularly if configuration secrets (neo-datasource.xml, neo-security.xml, neo-runtime.xml) may have been exposed.

  • Isolate unpatched servers. Any server that cannot be updated quickly should be isolated from the internet until it can be patched.

  • Review logs for unusual access, failed-login spikes, new admin users, suspicious uploads (double extensions such as .jpg.cfm), configuration-file reads, and the ColdFusion service spawning command-line programs.

Indicators (behavioral, pre-exploitation)

NOTE - Adobe have not yet reported "in the wild" exploitation, treat the below as a guide only.

File-system (webshell drop — CVE-2026-48276/48283 upload, -48282 traversal)

  • New/modified .cfm, .cfc, .cfml, .jsp files in web-servable paths: \wwwroot\CFIDE\, \cfusion\wwwroot\, cf_scripts\, and any cffile upload destinations

  • Historical ColdFusion webshells often dropped under CFIDE\ — high-signal location

Process telemetry

  • ColdFusion JVM (coldfusion.exe, java.exe under the CF service) spawning cmd.exe, powershell.exe, /bin/sh, bash, whoami, net, certutil, curl, wget

  • Base64-encoded PowerShell (-enc) from CF parent process — the 2023 campaigns used Base64 payloads

Web/HTTP logs

  • POSTs to upload endpoints with suspicious content types or double extensions (.jpg.cfm)

  • Reads/access attempts against config secrets: neo-datasource.xml, neo-security.xml, neo-runtime.xml

  • Unexpected access to files outside the web root, especially credential/config files


Summary for IT Teams

  • Products: Adobe ColdFusion, Adobe Campaign Classic (ACC)

  • Threat Level: Critical, CVSS 10.0

  • Action Required: Apply the latest vendor patches for ColdFusion (2025 Update 10 or 2023 Update 21) and Campaign Classic immediately. Block external access to admin pages if patching is delayed. Enforce MFA for all admin accounts. Monitor for indicators of compromise.


Reference


Need Help?

Secure ISS provides managed SOC services, vulnerability management and incident response for Australian organisations. If you need assistance assessing your exposure to these vulnerabilities or patching your ColdFusion environment, contact us on 1300 769 460 or visit our website.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.