We Flagged the ColdFusion Exploitation Five Days Before CISA's Catalog Did. It Just Became Adobe's Ninth Trip to That List.
- Patrick Duggan
- 1 hour ago
- 3 min read
This is a loop-closing post, so let us close it honestly, with both halves of the ledger showing.
On July 2 we published a patch-ahead warning on Adobe's emergency ColdFusion bulletin and called exploitation "a when, not an if." Later that same day the technical details of CVE-2026-48282 — an unauthenticated path-traversal bug that hands a stranger remote code execution on ColdFusion 2025.9, 2023.20, and everything older — went public, and exploitation began within two hours, caught by KEVIntel's honeypot network. We documented that two-hour window on July 7 and put the attacker's IP into our blocking feed the same morning. In that July 7 post we flagged one more thing, and it is the part that matters today: CISA's Known Exploited Vulnerabilities catalog had not yet listed CVE-2026-48282, six days after Adobe shipped the fix and days after exploitation was on the public record. We wrote that if you wait for the KEV entry to act, "you are patching on government time while the attacker is on honeypot time."
Here is the loop closing. CISA added CVE-2026-48282 to the KEV catalog on July 7 — the same day we published the post noting its absence — as part of a four-CVE batch alongside Joomla and Langflow. The federal patch deadline under Binding Operational Directive 26-04 was July 10. That deadline has now passed. So measure the gap plainly: exploited in the wild the afternoon of July 2, on the federal must-patch list July 7, mandatory-patched by July 10. An organization that moved on our July 2 warning had a five-day head start on the federal calendar and an eight-day head start on the deadline. That gap between "exploited on the record" and "on the government list" is not a footnote. It is the entire reason a private feed that moves in hours has value over a catalog that moves in days.
We keep the accuracy half of the ledger honest too, exactly as we did on July 7: the specific CVE that got exploited was not one of the five perfect-10s we named on July 2. We called the platform, the bulletin, and the attack class — put a file where the server executes it — and we told you to patch the whole bulletin rather than the CVEs you recognized. We did not name 48282 specifically. That is the difference between "we called ColdFusion soft and this batch dangerous," which we did and banked, and "we predicted this exact bug," which we did not and will not pretend to.
Now zoom out, because the KEV listing lets us say something the single incident cannot. CVE-2026-48282 is the ninth ColdFusion vulnerability on CISA's Known Exploited Vulnerabilities catalog. We track the whole catalog in our own index precisely so we can answer "is this a one-off or a repeat offender," and ColdFusion's answer is a rap sheet: CVE-2017-3066, CVE-2023-26359, CVE-2023-26360, CVE-2023-29298, CVE-2023-38205, CVE-2023-38203, CVE-2023-29300, CVE-2024-20767, and now 48282. Deserialization, improper access control, unrestricted upload, path traversal — different bug class each time, same building, same broken front door. Adobe carries eighty entries on the exploited list across all its products, fourth-most of any vendor we track behind only Microsoft, Cisco, and Apple. Nine of those eighty are ColdFusion. That concentration is not luck. It is the signature of a high-trust, internet-exposed, under-monitored application server that has been running in a corner since a decade nobody wants to name.
So the operational takeaway is not "patch 48282," which the July 10 deadline should already have forced. It is the pattern behind it. Patch the whole July 1 bulletin if you somehow haven't. Get the ColdFusion admin interface off the public internet, because every bug on that rap sheet lived and died on external exposure. Then do the forensic triage CISA buried in its own alert's last line — a bug that goes from public detail to in-the-wild in two hours means patching closes the door but does not tell you whether someone already walked through it, so hunt for webshells and unexpected file writes dating from July 2 onward.
We hold this at 95 percent — the two-hour figure was KEVIntel's capture, not ours, and we have said so every time. But the shape is beyond dispute and it keeps repeating: the ninth ColdFusion KEV is not a surprise, it is a receipt for a pattern we have been naming all month. Plan like there will be a tenth, because on this product there always is.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
