```html ```
top of page

We Gave You a Four-Day Head Start on ColdFusion. The Actual Window Was Two Hours.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 2 hours ago
  • 4 min read

Last Wednesday, July 2, we published a post about Adobe's emergency ColdFusion patches under the headline "The Exploit Is the Oldest Religion on the Web." We wrote, precisely: "The window between 'patch released' and 'PoC public' is where this gets decided," and we called exploitation "a when, not an if." We also promised that the moment exploitation was confirmed, "this stops being a patch-ahead post and becomes an incident-response one." This is that post. And the detail that should reorganize your patching calendar is not that the prediction came true — it's how fast.





The timeline, with the comparator attached


Adobe shipped the emergency bulletin on July 1 — a stack of maximum-severity CVSS 10.0 flaws across ColdFusion and Campaign Classic. We published our warning the morning of July 2. Later that same day, technical details of one flaw in the batch — CVE-2026-48282, an unauthenticated path-traversal bug that hands an attacker remote code execution on ColdFusion 2025.9, 2023.20, and everything older — became public.


Exploitation began within two hours.


That number comes from KEVIntel, whose founder Ryan Dewhurst reported that their global honeypot network caught in-the-wild attacks less than two hours after the technical details landed. The observed activity was unauthenticated arbitrary file read and write attempts — which, against ColdFusion, is the liturgy we described last week: put a file where the server will execute it, and the box is yours. The attacks came from 103.207.14[.]220, an address geolocated to India. The mainstream confirmation — BleepingComputer, Security Affairs — landed Monday, July 6, right on schedule for a story that broke over a holiday weekend when nobody was filing.


So the honest scorecard: we told you on July 2 that the pre-PoC window "is the whole game." We imagined that window in days. It was 120 minutes. If your patch process for an internet-facing perfect-10 involves a change-approval meeting, the meeting was longer than the window.



Two honesty notes, because receipts cut both ways


First: the exploited CVE was not one of the five we named. Our July 2 post walked through the five perfect-10s Adobe listed for the file-upload and input-validation classes; CVE-2026-48282 is a seventh maximum-severity flaw from the same July 1 bulletin batch, a path traversal rather than an upload bug. Same church, same collection plate, adjacent pew. We called the platform and the class; we did not call the specific bug. That distinction matters if you patched selectively — and it is one more argument for never patching selectively inside a single emergency bulletin.


Second, the comparator that matters most: as of this writing, CISA's Known Exploited Vulnerabilities catalog has not added CVE-2026-48282. The KEV has been silent since July 1 — six days, spanning the holiday. Exploitation has been publicly documented since Monday. That gap between "exploited in the wild, on the record" and "on the federal must-patch list" is the exact lag we measure with our kev-lead metric, and right now you are living inside it. If you wait for the KEV entry to act, you are patching on government time while the attacker is on honeypot time.



What we did about it, beyond writing


The attacker IP from the KEVIntel reporting is now in our indicator corpus and, as of this morning, confirmed present in our published blocking feed — the same feed our edge customers' Cloudflare Workers pull automatically. One IP is not a campaign, and we hold the usual humility about how quickly exploitation infrastructure rotates. But the point of running a feed is that the distance from "read the news" to "the door is barred" should be minutes, not a quarterly review.



The weekend thesis keeps closing its own loop


On Monday morning we argued the holiday quiet was instruments going dark, not attackers going home, and that the real disclosures would land Tuesday through Thursday. Monday evening delivered Warlock back to its SharePoint door. Tuesday delivers this: confirmation that while the gauges read "quiet," a ColdFusion bug went from public detail to live exploitation in under two hours, and the confirmation itself took four days to surface because the people who confirm things were at a barbecue. The attackers were not.


Patch ColdFusion to the July 1 builds — all of it, the whole bulletin, not the CVEs you recognize from headlines. Get the administrative interfaces off the public internet. Hunt for webshells and unexpected file writes dating from July 2 onward, because if your server was exposed and unpatched last Wednesday afternoon, the honest assumption is not "we're probably fine."


We hold this at 95 percent, as always — the two-hour figure is KEVIntel's measurement, not our own capture, and we say so plainly. But the shape is beyond dispute, and it is the same shape we keep publishing: the oldest attacks, the newest scores, and a window that keeps getting shorter than anyone's meeting schedule. Last week we preached. This week the collection plate came back around, and it took two hours.


Sources: KEVIntel exploitation reporting via BleepingComputer ("Max severity Adobe ColdFusion flaw now exploited in attacks," July 6 2026) and Security Affairs; Adobe security bulletin APSB26-68 (July 1 2026); CISA KEV catalog checked July 7 2026; DugganUSA blog "Adobe Just Dropped Five Perfect-10s in ColdFusion" (July 2 2026) and indicator corpus, queried directly.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page