CVE-2026-47928: Adobe ColdFusion Critical RCE — CVSS 9.6

Overview

Adobe has disclosed a critical vulnerability in ColdFusion tracked as CVE-2026-47928 with a CVSS v3.1 score of 9.6 (Critical). The flaw is an Improper Input Validation weakness that enables arbitrary code execution in the context of the current user without requiring any user interaction. Notably, this vulnerability carries a scope change, meaning exploitation can impact resources beyond the vulnerable component itself.

Affected Products

Vulnerability Details

The improper input validation flaw allows an unauthenticated remote attacker to craft a malicious request that triggers arbitrary code execution on the target server. The "scope changed" rating indicates the attack can pivot beyond ColdFusion itself — potentially reaching the underlying operating system or connected services.

Risk Assessment

With no user interaction required and no privileges needed, this vulnerability represents a high-value target for threat actors. ColdFusion servers are frequently exposed to the internet as web application servers, making internet-facing deployments especially at risk. The scope change amplifies the potential blast radius, as successful exploitation could provide a foothold into connected infrastructure.

Recommended Actions

1. Patch immediately — Apply Adobe's security update to upgrade to ColdFusion 2023.20+ or ColdFusion 2025.9+.
2. Restrict network access — If patching is not immediately possible, restrict ColdFusion admin interfaces to internal networks only.
3. Review server logs — Audit ColdFusion server access logs for unusual POST requests or unexpected process spawning activity.
4. Apply WAF rules — Deploy or update Web Application Firewall rules targeting ColdFusion-specific attack patterns.
5. Monitor for exploitation — Watch CISA's Known Exploited Vulnerabilities catalog for active exploitation indicators.

References

• NVD Entry: CVE-2026-47928
• Adobe Security Advisories
• CISA Known Exploited Vulnerabilities