Adobe ColdFusion Multiple Critical Unauthenticated RCE Vulnerabilities (CVE-2026-48277 / CVE-2026-48281 / CVE-2026-48282 / CVE-2026-48283 / CVE-2026-48313)
Scope: Adobe ColdFusion 2023 (Versions up to 2023.20) and ColdFusion 2025 (Versions up to 2025.9)
Severity: Red
Adobe released emergency bulletin APSB26-68 on June 30, 2026, addressing eleven vulnerabilities in ColdFusion, six of which carry the maximum CVSS score of 10.0 and allow unauthenticated remote attackers to execute arbitrary code on exposed servers without any user interaction required, through file upload, improper input validation, and path traversal flaws. Adobe has assigned its highest Priority Rating of 1, reserved for vulnerabilities either already being exploited or at extreme risk of imminent targeting, and has simultaneously announced a shift to twice-monthly security bulletins beginning July 14, 2026, citing AI-accelerated vulnerability discovery compressing the window from public disclosure to exploitation to hours. Organizations running ColdFusion in internet-exposed environments must apply ColdFusion 2023 Update 21 or ColdFusion 2025 Update 10 immediately, restrict external access to ColdFusion management and admin pages, monitor for suspicious .cfm, .cfc, or .jsp files in web-servable directories, and scan for child processes spawned by coldfusion.exe or java.exe as indicators of post-exploitation activity.
The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.