CISA Issues Urgent Order: US Government Agencies to Patch Adobe ColdFusion Vulnerability After Active Exploitation Detected
The U.S. cybersecurity agency has mandated federal government agencies to promptly update Adobe ColdFusion software following the discovery of a critical vulnerability currently being exploited by hackers.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive for U.S. federal agencies to update security patches for Adobe ColdFusion, a platform used for developing web applications. This order follows the discovery of a critical security vulnerability, CVE-2026-48282, which is a Path Traversal vulnerability (a technique for accessing files outside defined boundaries) affecting ColdFusion versions 2025.9, 2023.20, and earlier. This vulnerability allows malicious actors to remotely execute arbitrary code on the system without requiring complex access privileges. Of particular concern, CISA has confirmed that this vulnerability is being actively exploited, leading them to add it to the Known Exploited Vulnerabilities (KEV) catalog on July 7, 2026. Adobe had released a corrective patch a week prior and recommended users install it as soon as possible. Meanwhile, researchers from KEVIntel reported detecting exploitation attempts less than two hours after the vulnerability details were publicly disclosed.
Although this directive applies to U.S. government agencies, companies and organizations in Thailand using Adobe ColdFusion are also at high risk and should urgently update security patches to prevent attacks.