Priya Nair, YuSMP Group
Priya Nair Application Security Lead, YuSMP Group · AppSec, secure SDLC and legacy-runtime hardening for US/EU products
Abstract security illustration of a glowing digital shield above cascading server code with a padlock and a warning triangle on a deep navy background

The short answer

On 1 July 2026 Adobe released emergency patches for seven CVSS 10.0 flaws — six in ColdFusion (bulletin APSB26-68) and one in Campaign Classic (APSB26-69) — most of which allow arbitrary code execution. Adobe says it is not aware of exploits in the wild, but it assigned its highest Priority 1 rating and told administrators to update within 72 hours. Patch immediately if you run ColdFusion; then treat it as a reason to plan off the legacy runtime.

The headline is not one clever exploit. It is that a widely deployed, often internet-facing application runtime just shipped a cluster of maximum-severity, code-execution flaws — the exact profile attackers race to weaponize once a patch is public.

What Adobe actually fixed

Adobe's July security release centred on two products. Bulletin APSB26-68 addresses 11 vulnerabilities in ColdFusion 2025 and ColdFusion 2023, six of which carry the maximum CVSS base score of 10.0. According to Adobe and independent security reporting, those six — tracked as CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48282, CVE-2026-48283 and CVE-2026-48316 — stem from unrestricted upload of dangerous file types, improper input validation, and path traversal, and can lead to arbitrary code execution. A separate bulletin, APSB26-69, fixes a single CVSS 10.0 incorrect-authorization flaw in Adobe Campaign Classic (CVE-2026-48286) that could also allow code execution — seven maximum-severity issues across the two products.

For a security team, the shape of these bugs matters more than the count. Unrestricted file upload and path traversal leading to code execution are the classic pattern for a pre-authentication compromise: an attacker who can merely reach the server may not need a valid login to run commands. That is precisely the kind of flaw that turns a routine patch note into an incident. If ColdFusion sits anywhere near your perimeter, it belongs in a security audit scope, not just a monthly patch queue.

Who is affected, and how to patch

The ColdFusion flaws affect ColdFusion 2025 Update 9 and all earlier versions and ColdFusion 2023 Update 20 and all earlier versions. Adobe resolved them in ColdFusion 2025 Update 10 and ColdFusion 2023 Update 21. The Campaign Classic issue affects on-premises 7.4.3 build 9396 and earlier and is fixed in build 9397; Adobe-hosted Campaign instances were already patched. Adobe assigned the ColdFusion and Campaign updates its highest urgency rating and recommended installation within 72 hours.

ProductAffectedFixed in
ColdFusion 2025Update 9 and earlierUpdate 10
ColdFusion 2023Update 20 and earlierUpdate 21
Campaign Classic (on-prem)7.4.3 build 9396 and earlier7.4.3 build 9397

Patching the runtime is step one. Adobe also ships a ColdFusion lockdown guide, and applying it — least-privilege service accounts, restricted file-system permissions, disabled unused features — is what limits the blast radius when the next flaw lands. For servers you cannot patch within the window, a web application firewall with virtual-patching rules is a stopgap, not a fix.

Why ColdFusion keeps ending up on breach reports

This is not ColdFusion's first Priority 1 rodeo. The runtime is an older, closed-source application server still embedded in finance, insurance, government, and long-lived enterprise systems — often on internet-facing hosts that are slow to update because nobody wants to touch a business-critical app that "still works." That is a dangerous combination: high exposure, high impact, and slow patch cycles. ColdFusion vulnerabilities have repeatedly landed in exploited-vulnerability catalogs precisely because unauthenticated file-upload and traversal bugs give attackers remote code execution from a single request.

Adobe's note that there are no known exploits at disclosure is real, but it has a short shelf life. Once a patch is public, attackers diff it against the previous build to reconstruct the vulnerability, and a working exploit for internet-facing targets can appear within days. The safe assumption for a Priority 1, code-execution ColdFusion flaw is that the window between disclosure and exploitation is measured in days, not months.

What it means for US & EU software teams

Strip away the CVE numbers and this release is a governance question. For US teams, unpatched code-execution flaws on systems holding customer or payment data feed directly into breach-notification exposure and SOC 2 control failures. For EU teams and anyone selling into Europe, an internet-facing server with a known maximum-severity flaw is hard to square with GDPR's "state of the art" security obligation — and, for in-scope entities, with the tighter incident and resilience expectations arriving under NIS2 and DORA. A flaw you knew about and did not patch is the worst version of that conversation.

Regulated sectors feel it first. A FinTech or healthcare operation running legacy ColdFusion is carrying both the technical risk and the compliance risk on the same box. The practical move is to separate the two clocks: patch on the emergency clock this week, and put the runtime itself on a modernization clock this quarter. The recurring stream of critical ColdFusion bulletins is the business case — each one is unplanned emergency work, security review, and audit exposure that a supported, modern stack would not generate.

There is a discipline trap worth naming, too. "We'll patch it later" and "we'll migrate someday" are the two failure modes, and they reinforce each other: the migration never starts, so the emergency patches never stop. Breaking that loop does not require a big-bang rewrite. It usually starts by identifying the internet-facing and regulated ColdFusion workloads, isolating them, and modernizing those first — the highest-risk slice, not the whole estate at once.

What to do this week

Here is the shippable version. Treat the bulletin as an incident with a 72-hour clock, then convert the lesson into a plan.

  1. Inventory ColdFusion now. Find every ColdFusion 2025 and 2023 instance, especially internet-facing ones. You cannot patch what you cannot see, and shadow ColdFusion is common in old enterprises.
  2. Apply the updates. Move to ColdFusion 2025 Update 10 or 2023 Update 21 (and Campaign Classic build 9397) within Adobe's 72-hour window; prioritize perimeter and regulated systems.
  3. Harden with the lockdown guide. Enforce least privilege, restrict file-system and upload paths, and disable unused components so the next flaw has a smaller blast radius.
  4. Add virtual patching for laggards. Put a WAF with rules for file-upload and traversal in front of any server you cannot patch immediately — as a stopgap, not a substitute.
  5. Hunt before you assume clean. Check logs for suspicious uploads, new files in web roots, and unexpected outbound connections since June; treat a Priority 1 runtime as compromised-until-proven-otherwise on exposed hosts.
  6. Scope the exit. Rank internet-facing and regulated ColdFusion workloads and put a modernization plan against the top of that list, so the next bulletin is someone else's problem.

None of this is legal advice, and your exact obligations depend on your data, sector, and jurisdiction. But the strategic signal is clear: maximum-severity flaws in legacy runtimes are now a routine event, and the advantage goes to teams that patch fast and shrink the surface — not to whoever hopes the next bulletin skips them.

Frequently asked questions

What did Adobe patch in ColdFusion in July 2026?

On 1 July 2026 Adobe published bulletin APSB26-68, fixing 11 vulnerabilities in ColdFusion 2025 and 2023. Six carry the maximum CVSS 10.0 score and come from unrestricted file upload, improper input validation, and path traversal that could lead to arbitrary code execution. A companion bulletin, APSB26-69, fixed one CVSS 10.0 flaw in Campaign Classic — seven maximum-severity flaws in total.

Which ColdFusion versions are affected and how do I fix them?

The flaws affect ColdFusion 2025 Update 9 and earlier and ColdFusion 2023 Update 20 and earlier. Adobe fixed them in ColdFusion 2025 Update 10 and 2023 Update 21; apply those updates and follow Adobe's lockdown guidance. The Campaign Classic flaw (CVE-2026-48286) affects on-premises build 9396 and earlier and is fixed in build 9397.

Are these ColdFusion vulnerabilities being exploited?

At disclosure Adobe said it was not aware of public exploits for these specific flaws, but it assigned its highest Priority 1 rating and urged patching within 72 hours. ColdFusion is historically targeted soon after fixes ship because attackers reverse-engineer the patch, so treat the quiet window as short.

Why is unpatched ColdFusion such a common breach path?

ColdFusion is an older runtime still widely deployed in finance, insurance, and government, often on internet-facing servers that patch slowly. Its flaws frequently allow pre-authentication file upload or path traversal leading to remote code execution, giving attackers a foothold from a single unauthenticated request — which is why it recurs in exploited-vulnerability catalogs.

Should we keep patching ColdFusion or migrate off it?

Do both on different clocks. Patch now and put internet-facing ColdFusion behind a WAF with virtual patching as an interim control. Then treat the steady stream of maximum-severity flaws as a reason to plan a migration off the legacy runtime, starting with internet-facing and regulated workloads.

Sources

Adobe — Security update for ColdFusion (APSB26-68), 1 July 2026 (primary source)
BleepingComputer — Adobe patches seven max severity ColdFusion, Campaign flaws, 1 July 2026
SecurityWeek — Adobe Patches Critical ColdFusion, Campaign Classic Vulnerabilities, 1 July 2026