A maximum-severity Adobe ColdFusion vulnerability, tracked as CVE-2026-48282, is now being actively exploited in ongoing attacks. The warning came from the Canadian Center for Cyber Security (CCCS) on Thursday. The flaw affects all versions of the enterprise web application platform, though specific affected builds were not detailed in the advisory.

The vulnerability carries the highest possible CVSS severity rating, indicating it can be exploited remotely without authentication or user interaction. The CCCS alert underscores the urgency, as exploitation has already been observed in the wild. Organizations running Adobe ColdFusion are advised to treat this as an active threat requiring immediate action.

Technical details of the attack vector remain sparse. CVE-2026-48282 allows remote code execution via crafted requests sent to ColdFusion servers. The lack of publicly available exploit code does not mitigate the risk, given confirmed in-the-wild exploitation. Administrators should monitor for unusual server behavior or unauthorized command execution.

Adobe has released a security update to patch the vulnerability. The CCCS strongly urges all organizations to apply the fix immediately and suspend exposed ColdFusion instances if patching is not possible. No workarounds other than the vendor-supplied patch were confirmed as effective.

Attribution for the attacks was not provided. The development fits a pattern of adversaries targeting enterprise ColdFusion installations, which often serve critical business applications and remain a high-value target for ransomware groups and state-sponsored actors alike.