Skip to content
Rush Commerce
Software & Dev3 min read

Adobe ColdFusion: seven CVSS 10 RCEs, patch window of hours

Adobe patched seven maximum-severity flaws in ColdFusion and Campaign Classic. Unauthenticated RCE on a legacy app server means your patch window is hours.

Adobe just disclosed nine vulnerabilities in ColdFusion and Campaign Classic, and seven of them carry a CVSS score of 10.0 — the maximum. Several allow remote, unauthenticated code execution: no login, no phishing, no user interaction. If one of these boxes is exposed to the internet, your patch window isn't measured in weeks or days. It's hours.

What actually happened

On July 1, Adobe patched seven maximum-severity flaws across ColdFusion 2023 and 2025 and on-premise Campaign Classic v7. Per The Hacker News, the six CVSS 10.0 ColdFusion bugs span unrestricted file upload (CVE-2026-48276, CVE-2026-48283), improper input validation (CVE-2026-48277, CVE-2026-48281, CVE-2026-48316), and path traversal (CVE-2026-48282) — all leading to arbitrary code execution. A seventh 10.0, CVE-2026-48286, is an authorization flaw in Campaign Classic that also enables code execution.

The fixes are ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21, plus an update for Campaign Classic 7.4.3 build 9396 and earlier. Adobe says it isn't aware of exploitation in the wild yet — but it recommends installing within roughly 72 hours, and ColdFusion has a long track record of being weaponized fast. It's a perennial resident of CISA's Known Exploited Vulnerabilities catalog for a reason: it's an internet-facing application server that runs code, which is exactly what attackers scan for.

Why it matters for your business

Almost nobody chooses ColdFusion in 2026. But plenty of businesses inherited it — a customer portal a contractor built in 2015, an internal app nobody's touched since, a form handler quietly running on a box in a colo. That's the danger profile: legacy software that still works, so nobody looks at it, sitting on a public IP. Unauthenticated RCE on that server means an attacker who finds it owns it, and everything it can reach.

Two moves. Short term: if you run ColdFusion or on-prem Campaign Classic anywhere, patch to the versions above today, not this quarter. Longer term: ask why an aging app server is reachable from the open internet at all. Put it behind a VPN or an authenticating proxy, restrict it to the IPs that actually need it, and shrink the attack surface so the next CVSS 10.0 — and there's always a next one — can't be hit by an anonymous scanner. The real liability isn't ColdFusion specifically; it's any forgotten, internet-exposed system running code you no longer maintain.

We find those systems, patch or retire them, and pull the ones that shouldn't be public off the open internet — before the scanners get there.

Key takeaways

  • Adobe patched seven CVSS 10.0 flaws on July 1 across ColdFusion 2023/2025 and on-prem Campaign Classic v7, several enabling unauthenticated remote code execution
  • Fixes are ColdFusion 2025 Update 10 and 2023 Update 21, plus a Campaign Classic update; Adobe advises patching within ~72 hours
  • Unauthenticated RCE on an internet-facing app server means the patch window is hours — attackers scan for exactly this
  • The deeper fix is getting aging, unmaintained systems off the public internet: put them behind a VPN or authenticating proxy and restrict access

Have a legacy app server you inherited and stopped watching? We inventory what's exposed, patch or retire it, and get the systems that shouldn't be public off the open internet. See how we harden your stack or book an exposure review.

Sources: The Hacker News, BleepingComputer.

  • #adobe-coldfusion
  • #cvss-10
  • #rce
  • #security
  • #legacy-software
TR

Tommy Rush — Founder, Rush Commerce

Operator turned builder. 15+ years running operations — now shipping the systems businesses run on. More

Get The Rush Report weekly — one email, zero fluff.