Adobe published Security Bulletin APSB26-68 on June 30, 2026, disclosing eleven vulnerabilities in ColdFusion — six of which carry a CVSS score of 10.0, the highest possible rating. All six allow an unauthenticated remote attacker to execute arbitrary code on the server with no user interaction required, placing this bulletin among the most severe Adobe has ever released for ColdFusion. Adobe assigned its highest Priority Rating of 1, meaning Adobe considers these vulnerabilities to be actively targeted or imminently exploitable in the wild.

The affected versions are ColdFusion 2025 Update 9 and earlier, and ColdFusion 2023 Update 20 and earlier. Adobe has released fixes in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21. At the time of disclosure, Adobe stated it was not aware of any exploits in the wild — but a Priority 1 designation with six CVSS 10.0 RCE flaws demands immediate action regardless of that statement.

If you run ColdFusion and have not applied these updates, treat this as an emergency.

What the Vulnerabilities Are

Adobe ColdFusion is an application server and development platform used primarily in enterprise web development, government systems, and legacy business applications. ColdFusion installations that serve web traffic are directly in scope for these vulnerabilities — any attacker who can reach the ColdFusion HTTP listener can exploit them without credentials.

APSB26-68 covers eleven CVEs in total. Six are rated CVSS 10.0:

CVE-2026-48276 (CWE-434: Unrestricted Upload of File with Dangerous Type) — An attacker can upload a file of any type without restriction, leading to arbitrary code execution. No authentication required.

CVE-2026-48277 (CWE-20: Improper Input Validation) — Improper validation of attacker-supplied input results in code execution. No authentication required, no user interaction required.

CVE-2026-48281 (CWE-20: Improper Input Validation) — A second distinct improper input validation pathway enabling unauthenticated RCE.

CVE-2026-48282 (CWE-22: Path Traversal) — A path traversal flaw allows an attacker to reference files outside the intended directory, resulting in code execution. No authentication required.

CVE-2026-48283 (CWE-434: Unrestricted Upload of File with Dangerous Type) — A second unrestricted file upload vulnerability enabling unauthenticated code execution, distinct from CVE-2026-48276.

CVE-2026-48316 (CWE-20: Improper Input Validation) — A third improper input validation flaw enabling code execution. This CVE's CVSS vector differs slightly from the others (no availability impact component), but still scores 10.0.

Beyond the six 10.0-score CVEs, five additional vulnerabilities were patched in the same bulletin:

  • CVE-2026-48313 (CVSS 9.3): Path traversal enabling arbitrary file system reads — unauthenticated, network-accessible.
  • CVE-2026-48315 (CVSS 9.3): Improper input validation enabling privilege escalation — unauthenticated.
  • CVE-2026-48307 (CVSS 8.8): Stored cross-site scripting (XSS) that can be chained to code execution, exploitable via adjacent network.
  • CVE-2026-48285 (CVSS 8.6): Server-Side Request Forgery (SSRF) enabling security feature bypass.
  • CVE-2026-48314 (CVSS 6.5, Important): Path traversal enabling privilege escalation.

All vulnerabilities affect ColdFusion 2025 and ColdFusion 2023 on all supported platforms (Windows, Linux, macOS).

Why It Matters

Six CVSS 10.0 scores in a single bulletin is exceptional. A 10.0 score requires that the attack is network-accessible, unauthenticated, requires no user interaction, and delivers complete confidentiality, integrity, and availability impact. Having six such CVEs patched simultaneously indicates a significant pre-patch exposure window during which these pathways coexisted in production deployments.

Adobe Priority 1 means: patch before anything else. Adobe's Priority Rating of 1 is reserved for vulnerabilities in products "that are being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild." While Adobe stated it was not aware of active exploitation at disclosure time, Priority 1 is a signal that their threat intelligence suggests this could change quickly. Historical precedent with ColdFusion backs this up — CVE-2023-29298 and CVE-2023-26360 were actively exploited within days of disclosure.

ColdFusion is a favored target for ransomware and espionage actors. ColdFusion installations frequently appear in government and financial sector environments, making them high-value targets. CISA has issued multiple advisories over the past several years specifically calling out ColdFusion vulnerabilities being leveraged in attacks against government infrastructure.

Unrestricted file upload at CVSS 10.0 is a worst-case scenario. CVE-2026-48276 and CVE-2026-48283 are both CWE-434 (unrestricted file upload) vulnerabilities. An unauthenticated attacker exploiting these can upload a ColdFusion Template (CFM) or other executable file to the server and immediately achieve remote code execution — providing interactive shell access, data exfiltration capability, or a foothold for lateral movement.

Path traversal flaws are trivially weaponizable. CVE-2026-48282 (CVSS 10.0) and CVE-2026-48313 (CVSS 9.3) both involve path traversal. At CVSS 10.0, the path traversal leads to code execution. At 9.3, it leads to arbitrary file reads — enabling attackers to read ColdFusion's password.properties, database connection strings, or any file accessible to the ColdFusion service account.

Am I Affected?

You are affected if you are running any of the following:

  • Adobe ColdFusion 2025 on Update 9 or earlier (Update 10 is required to be patched)
  • Adobe ColdFusion 2023 on Update 20 or earlier (Update 21 is required to be patched)

To check your ColdFusion version and patch level: log in to the ColdFusion Administrator (typically at /CFIDE/administrator/index.cfm), navigate to Server Settings → Version Info, and note the Update level displayed.

ColdFusion 2021 and older version lines are past their end-of-life support dates and are not listed as receiving patches for this bulletin. If you are running ColdFusion 2021 or earlier, migration to a supported version is necessary — you have no available fix for these vulnerabilities on older release lines.

Exposure is highest for ColdFusion instances that are directly internet-accessible or accessible from untrusted network segments. However, given the unauthenticated nature of the CVEs, even intranet-facing instances should be considered at risk in environments where lateral movement is possible.

What to Do About It: Step-by-Step

Step 1: Apply the ColdFusion updates immediately.

  • ColdFusion 2025: Apply Update 10 from the ColdFusion Administrator (Server Update → Updates → Settings) or download directly from Adobe's Update Portal.
  • ColdFusion 2023: Apply Update 21 from the ColdFusion Administrator or the Adobe Update Portal.

Adobe recommends applying updates to development and staging environments before production, but given Priority 1 severity, parallel or emergency patching of production is warranted.

Step 2: While patching, apply Adobe's recommended security lockdown settings.

If immediate patching is not possible, Adobe's ColdFusion Lockdown Guide reduces the attack surface:

  • Disable the ColdFusion Administrator UI from public internet access (restrict /CFIDE/administrator/ at the web server or firewall level).
  • Enable the ColdFusion Security Sandbox to restrict file system access from ColdFusion templates.
  • Disable Remote Development Services (RDS) if not actively needed.
  • Remove or restrict the ColdFusion file manager and image gallery components if not in use.

None of these mitigations fully addresses unauthenticated RCE via the file upload CVEs, but they reduce the likelihood of successful chained exploitation.

Step 3: Verify no unauthorized files were uploaded prior to patching.

CWE-434 file upload vulnerabilities can be exploited to plant persistent backdoors (web shells). After patching, audit the ColdFusion application directory for recently created or modified .cfm, .cfc, .jsp, or .php files that were not placed there by your development team:

find /path/to/cfusion/wwwroot -name "*.cfm" -newer /path/to/last-known-clean-file -ls
find /path/to/cfusion/wwwroot -name "*.cfc" -newer /path/to/last-known-clean-file -ls

Also check the ColdFusion upload directory (configured in CF Administrator under Server Settings → File Uploads) for any uploaded executables.

Step 4: Review ColdFusion access logs for exploitation indicators.

Look for POST requests to unexpected ColdFusion endpoints, particularly around file upload handlers, or requests containing path traversal sequences (../, %2e%2e/, %252e%252e/). ColdFusion access logs are typically found at:

  • Windows: C:\ColdFusion2025\cfusion\logs\ or C:\ColdFusion2023\cfusion\logs\
  • Linux: /opt/coldfusion2025/cfusion/logs/ or /opt/coldfusion2023/cfusion/logs/

Pay attention to application.log, exception.log, and server.log for error patterns that may indicate failed or successful exploitation attempts.

Step 5: Check your ColdFusion service account permissions.

Since the CVEs allow code execution as the ColdFusion process user, review what that account has access to on the host. On Windows, verify the ColdFusion service is not running as SYSTEM or a Domain Admin account. On Linux, ensure the coldfusion or cfusion service user is not root. If the service account has excessive privileges, scope them down after patching.

Quick-Win Checklist

  • Identified all ColdFusion instances across your environment (check for CF 2025 Update 9 or earlier, CF 2023 Update 20 or earlier)
  • Applied ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21 to all affected instances
  • Verified CF Administrator is not publicly accessible (blocked at web server or firewall)
  • Audited application directories for unexpected .cfm / .cfc / .php files created or modified recently
  • Reviewed ColdFusion access and exception logs for POST requests to file upload handlers or path traversal sequences
  • Confirmed ColdFusion service account does not run as SYSTEM, root, or a privileged domain account
  • Disabled RDS if not actively required

Sources