Adobe patches a raft of critical ColdFusion code execution flaws

Adobe has released a batch of fixes for its ColdFusion web application server, closing at least eleven vulnerabilities, many of which let an attacker run arbitrary code on affected systems. Researchers at watchTowr, who reverse engineered the patches, warn that the update touches nearly every supported version and that some of the flaws are serious enough to hand an attacker control of a server.

What is affected

The June 30 advisory (APSB26-68) covers ColdFusion 2025 (Update 9 and earlier) and ColdFusion 2023 (Update 20 and earlier), which watchTowr summarizes as basically everything. The fixed issues include multiple arbitrary code execution bugs, an arbitrary file system read, privilege escalation, and a security feature bypass. ColdFusion runs on a Java based engine that sits between web servers and back end databases and file systems, so a compromise can expose sensitive data and give attackers a launch point deeper into a network.

How the attack works

watchTowr focused on ColdFusion's Remote Development Services (RDS), a feature meant to let a developer's IDE browse the file system, run database queries, and debug over HTTP. It has repeatedly been the source of security holes. By comparing the vulnerable and patched builds, the researchers traced file read and file write weaknesses reachable through RDS requests to the /CFIDE/main/ide.cfm endpoint. Importantly, they note the specific path they detailed requires RDS to be enabled and, based on their testing, authentication to be disabled, a configuration Adobe itself advises against, so not every server is exploitable out of the box. Given the number of bugs fixed in one advisory, watchTowr cautioned that mapping each flaw to a specific CVE with confidence was difficult.

Why it matters

ColdFusion has a long history of being hunted by attackers once patches ship, and internet facing servers are attractive targets. Just last week, intruders were seen disabling Windows Defender and dumping credentials after breaking into a ColdFusion server, underscoring how quickly these systems get pushed once a foothold exists.

What you should do

Administrators should apply the ColdFusion 2025 and 2023 updates without delay. If patching cannot happen immediately, confirm that RDS is disabled (it is off by default) and that RDS authentication is enabled, restrict access to the ColdFusion administrator and CFIDE paths, and place ColdFusion servers behind access controls rather than exposing them directly to the internet.

The technical teardown, including the affected CVEs (CVE-2026-48276, CVE-2026-48277, CVE-2026-48282, CVE-2026-48313, CVE-2026-48315 and others), is in the original report from watchTowr's Sina Kheirkhah (@SinSinology).

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions