top of page

Adobe Just Dropped Five Perfect-10s in ColdFusion. The Exploit Is the Oldest Religion on the Web: Upload a File, Get a Shell.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 2 hours ago
  • 4 min read

On July 1, Adobe shipped an emergency stack of patches for ColdFusion and Campaign Classic, and the severity numbers are the kind you do not see often: five separate vulnerabilities rated CVSS 10.0, a perfect score, the maximum the scale allows. Two of them — [CVE-2026-48276](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-48276) and [CVE-2026-48283](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-48283) — are unrestricted file-upload flaws. The other three — [CVE-2026-48277](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-48277), [CVE-2026-48281](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-48281), and [CVE-2026-48316](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-48316) — are improper input validation leading to code execution. That is a lot of tens. But do not let the fresh CVE numbers fool you into thinking this is a modern problem. The attack these bugs enable is the oldest religion in web security, and ColdFusion is one of its oldest churches.





The sermon: upload a file, get a shell


Strip away the CVE identifiers and here is what an unrestricted file-upload vulnerability actually is: the application lets an attacker put a file of their choosing onto the server, in a place the server will later execute. Upload a small script. Ask the server to run it. Now you have a webshell — a command prompt inside the victim's infrastructure, wearing the application's own permissions.


That is it. That is the entire liturgy. It predates the commercial web. It was old when PHP was young. Security teams have been preaching against unrestricted file upload since before "DevOps" was a word, and it remains, year after year, one of the most reliable paths from "internet-facing web app" to "attacker owns the box." A perfect-10 file-upload bug is not a clever new exploit. It is the fundamental sin the framework was supposed to prevent, made available again.



The church: ColdFusion has a long, bad memory


Now the part that makes these five tens genuinely dangerous rather than merely severe.


ColdFusion is old-time technology. It was born as Allaire ColdFusion in 1995, passed to Macromedia, and landed at Adobe — thirty years of enterprise web applications, a great many of them still running quietly under critical business processes because rewriting them was never worth the budget. And ColdFusion has a long, bad history with exactly this attack. Attackers know ColdFusion. They have weaponized ColdFusion webshell flaws before — CVE-2023-26360 was exploited in the wild fast enough to land on CISA's Known Exploited Vulnerabilities catalog, and the ColdFusion webshell campaigns of the mid-2010s are a genre unto themselves. When a perfect-10 file-upload bug lands in a platform with that track record, the question is not whether a proof-of-concept follows. It is how many days.


We want to be honest and precise here, because the accuracy half of the job matters: as of this writing, these specific five flaws are freshly patched by Adobe and we have not seen confirmation of active exploitation. This is a patch-ahead moment, not a house-on-fire one — yet. But "old religion" cuts both ways. The same history that makes ColdFusion familiar to defenders makes it familiar to attackers, and a maximum-severity file-upload flaw in a decades-old, widely-deployed, previously-weaponized platform is a when, not an if. The window between "patch released" and "PoC public" is where this gets decided.



Everything old is new, again


This is the second time this week we have written the same underlying story, and that is not repetition — it is the trend. Yesterday it was the vulnerabilities that breached the Department of Homeland Security, which had been known-exploited since 2025. The day before, it was AI attack surfaces getting cracked with Bash tricks from 1989. Now it is perfect-10 ColdFusion bugs whose exploit technique is older than most of the developers who will have to patch it.


The pattern holds because it is true: the newest severity scores keep getting stapled to the oldest attacks. Novel technology reintroduces ancient holes. And the defense is never a new invention — it is an old discipline finally applied.



What to do, and it is not exotic


Patch ColdFusion and Campaign Classic to Adobe's July 1 builds now, in the pre-PoC window, because that window is the whole game. Get ColdFusion administrative interfaces off the public internet — they were never supposed to be there. Enforce real file-upload restrictions at the application and the web-server tier: allow-list extensions, store uploads outside the web root, never let an upload directory be executable. Put a WAF in front of anything ColdFusion that you cannot immediately patch. And hunt your existing ColdFusion boxes for webshells you may already be hosting, because a platform this old on infrastructure this quiet does not get looked at often.


None of that is new. That is the reassurance and the indictment in a single breath: the perfect-10 ColdFusion flaws are defensible with lessons the industry learned twenty years ago and keeps forgetting to apply. We will cap it at ninety-five percent — exploitation status can change overnight, and the moment it does, this stops being a patch-ahead post and becomes an incident-response one. But the shape is not in question. It is old-time religion: the oldest sin, the oldest church, the newest scores. Get right before the collection plate comes around.




The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.


bottom of page