Skip Navigation

July 7, 2026 |

Exploitation reported following Adobe security updates

Loading table of contents...

At a glance: Adobe released security updates for multiple maximum-severity vulnerabilities in Adobe ColdFusion and Adobe Campaign Classic on June 30, 2026. Researchers subsequently reported exploitation of ColdFusion vulnerability tracked as CVE-2026-48282. Organizations should prioritize identifying affected deployments, confirming patch status, and reviewing internet-facing systems for exposure.

Threat summary

On June 30, 2026, Adobe released security updates for Adobe ColdFusion and Adobe Campaign Classic that address multiple critical vulnerabilities, including seven vulnerabilities assigned maximum-severity Common Vulnerability Scoring System (CVSS) scores of 10.0.

Adobe reported that it was not aware of exploitation in the wild when the advisories were published.

Adobe ColdFusion is a web application development platform used to build and host business applications, web services, and customer portals. The vulnerabilities affect ColdFusion 2025 Update 9 and earlier and ColdFusion 2023 Update 20 and earlier.

Several of the vulnerabilities can lead to arbitrary code execution, including:

  • CVE-2026-48282

  • CVE-2026-48276

  • CVE-2026-48283

  • CVE-2026-48277

  • CVE-2026-48281

  • CVE-2026-48316

Adobe addressed the vulnerabilities in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21, released on June 30, 2026.

By July 3, 2026, researchers had reported observing exploitation activity targeting CVE-2026-48282, and subsequent reporting confirmed that the vulnerability was being exploited in the wild.

The June 30 updates also addressed a maximum-severity vulnerability in Adobe Campaign Classic (ACC), CVE-2026-48286, affecting on-premises Adobe Campaign Classic deployments running v7 7.4.3 build 9396 and earlier.

It is Adobe's customer communication and marketing campaign management platform used to manage email campaigns, customer segmentation, marketing workflows, customer databases, and multi-channel communications such as email, SMS, and direct mail.

According to Adobe, exploitation does not require authentication or user interaction.

Analysis

Organizations operating internet-facing ColdFusion servers face elevated risk because exploitation activity began shortly after disclosure and the vulnerability is remotely exploitable without authentication according to Adobe's advisory. Exposure is likely highest where vulnerable ColdFusion instances remain accessible from the internet.

Organizations using ColdFusion are recommended to:

  • Determine the ColdFusion version and update level deployed across the environment and identify which systems are accessible from the internet.

  • Review application activity, web server logs, and security monitoring data for unusual file access attempts, unexpected file upload activity, or requests targeting ColdFusion applications.

  • Confirm that ColdFusion deployments are running the June 30 security updates to reduce exposure to the disclosed vulnerabilities.

CVE-2026-48286 affects Adobe Campaign Classic v7.4.3 build 9396 and earlier in on-premises and hybrid deployments. As such, affected organizations should update to Adobe Campaign Classic v7 build 9397 or later which contains the fix. Adobe-hosted instances were already remediated by Adobe.

ThreatRoundUp_SignUp_Simplifiedx2

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up