Minutes, not months, from write-up to attack
The old rhythm of vulnerability response assumed a gap. A flaw is disclosed, defenders read the advisory, plan a maintenance window, and patch before attackers build a working exploit. CVE-2026-48282 erased that gap. It is a path traversal flaw in Adobe ColdFusion, the long-running application server that still powers a surprising number of business web apps, and it scores the maximum 10.0 because an unauthenticated attacker can walk the file system and reach remote code execution on the server itself. Adobe shipped the fix on 30 June with its highest priority rating, ahead of any public detail.
Then the gap closed to nothing. On 2 July, within minutes of the security firm watchTowr publishing a technical breakdown of the flaw, honeypot sensors recorded the first real exploitation attempt, from an IP address geolocated to India. The explanation and the first attack landed on the same afternoon. That is the number an owner should carry out of this story: not the CVSS score, but the interval between a flaw becoming public knowledge and becoming someone's intrusion, now measured in minutes.
The condition that decides whether you are exposed
Not every ColdFusion server is reachable, and that is the one piece of good news. The flaw lives in ColdFusion's Remote Development Services, a feature meant to let developers work against a running server, and it is only exploitable when that service is enabled and its own authentication is switched off. That combination is not the default configuration, so a modern, tightly set-up instance is unlikely to be in the firing line.
The danger is where that setting quietly survives. It is the older ColdFusion box stood up years ago, where a developer turned Remote Development Services on for convenience during a build and no one ever turned it back off, now sitting forgotten behind a business application nobody has audited since. Adobe closed the hole in ColdFusion 2023 Update 21 and 2025 Update 10; affected are versions 2025.9, 2023.20, and every release before them. The servers most likely to be running the exposed configuration are precisely the ones least likely to be on anyone's patch list.
The deadline is federal, the clock is everyone's
On 7 July the US cybersecurity agency CISA added CVE-2026-48282 to its Known Exploited Vulnerabilities catalogue under Binding Operational Directive 26-04, ordering federal agencies to patch by 10 July. Operators in the United Kingdom and the EU are not bound by that directive, but the clock it sets is a fair proxy for their own, and the NCSC guidance points the same way: a flaw exploited within minutes of disclosure does not wait for a maintenance window. Under NIS2, and under the sector rules that apply across the UK, the duty to manage a known-exploited vulnerability on your own systems sits with you.
The response is narrow and concrete rather than sweeping. Find every ColdFusion instance you run, including the ones inherited through acquisitions or left behind by a former supplier. Confirm whether Remote Development Services is enabled and whether its authentication is off. Patch the affected builds to 2023 Update 21 or 2025 Update 10, and where an immediate patch is impossible, disable the service and put the server behind a firewall rather than the open internet. Because exploitation is already live, an exposed and unpatched server should be treated as potentially already reached.
Read next: One Kernel Patch Will Not Close This VM Escape | CitrixBleed Returns, Exploited Within a Day



