Adobe has disclosed a critical (CVSS 9.3) missing-authentication vulnerability in ColdFusion 2023 and 2025 that allows unauthenticated attackers to execute arbitrary code without user interaction.
What Is It
CVE-2026-48325 is a Missing Authentication for Critical Function vulnerability (CWE-306) in Adobe ColdFusion. According to Adobe, the flaw "could result in arbitrary code execution in the context of the current user," and exploitation "does not require user interaction." The issue carries a changed scope, meaning a successful exploit can affect resources beyond the initially vulnerable component. It is rated CRITICAL with a CVSS 3.1 base score of 9.3 (vector AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
Why It Matters
The combination of no required authentication (PR:N), no user interaction (UI:N), and arbitrary code execution makes this a high-impact vulnerability for any exposed ColdFusion server. Both confidentiality and integrity impacts are rated HIGH. The attack vector is Adjacent Network (AV:A), meaning exploitation requires access to the same logical network segment rather than the open internet, but the low attack complexity means an attacker with that access faces few barriers. ColdFusion has historically been a repeated target for attackers seeking server-side code execution.
What's Vulnerable
The following Adobe ColdFusion versions are affected:
- ColdFusion 2025: versions 0 through 10 are affected; version 11 is unaffected.
- ColdFusion 2023: versions 0 through 21 are affected; version 22 is unaffected.
Patch Status
Adobe has published a security bulletin (APSB26-82) covering this vulnerability. The fix is available in the noted unaffected releases: ColdFusion 2025 Update 11 and ColdFusion 2023 Update 22. Administrators should upgrade affected installations to these versions. No CISA KEV entry was supplied for this CVE, so there is no confirmation of active exploitation in the provided source material.
Sources
- Adobe Security Bulletin APSB26-82; https://helpx.adobe.com/security/products/coldfusion/apsb26-82.html
- NVD, CVE-2026-48325, https://nvd.nist.gov/vuln/detail/CVE-2026-48325