Adobe has patched 11 critical vulnerabilities in ColdFusion, and six of them carry the maximum CVSS score of 10.0. All six allow an unauthenticated attacker to execute arbitrary code on a ColdFusion server, which is the worst class of flaw there is: no login required, full control of the machine. Adobe assigned the update its highest priority rating and told administrators to patch within 72 hours. If you run ColdFusion and expose it to the internet, this is a drop-everything event.

  • Adobe fixed 11 critical ColdFusion CVEs; six are rated CVSS 10.0, the maximum possible severity.
  • All six top-rated flaws enable unauthenticated arbitrary code execution, meaning an attacker needs no credentials to fully compromise the server.
  • Adobe gave the update Priority 1, its most urgent tier, and recommended applying it within 72 hours.
  • ColdFusion has a long history as a ransomware and web-shell entry point, so exploitation of internet-facing servers typically follows disclosure fast.
The unauthenticated RCE attack chain An attacker sends a crafted request to an internet-facing ColdFusion server, triggers a critical flaw with no authentication, and gains arbitrary code execution leading to full server compromise. 6 x CVSS 10.0 = NO LOGIN NEEDED Crafted request unauthenticated Critical flaw triggered Code execution arbitrary, as server Full compromise Adobe Priority 1: patch within 72 hours of release genztech.blog
Fig 1 Unauthenticated means the attacker skips the login step entirely. One crafted request is the whole chain from stranger to server owner.

Why is unauthenticated RCE the worst-case rating?

CVSS 10.0 is reserved for flaws with no mitigating factors: maximum impact, minimum barrier. Unauthenticated arbitrary code execution checks every box. The attacker does not need a valid account, does not need to trick a user into clicking anything, and does not need to already be inside your network. They send a crafted request to an exposed server and, if it is unpatched, they run code as the server. From there it is web shells, data theft, lateral movement, and ransomware. Six separate flaws at this level in one product is not a routine patch cycle; it is a fire drill.

RelatedGrok Build CLI Secretly Uploads Your Entire Repo to xAI

Why does ColdFusion keep showing up in breaches?

ColdFusion is old, widely deployed in enterprises and government, and frequently left internet-facing because it powers customer portals and internal apps that are painful to migrate. That combination makes it a favorite target. Attackers know that many ColdFusion servers are under-maintained, that patching lags, and that a single compromised instance often sits deep inside a corporate network. Historically, ColdFusion flaws have been weaponized within days of disclosure and folded into ransomware playbooks. The pattern is reliable enough that defenders should assume exploitation attempts against exposed servers are a matter of when, not if.

What should administrators do right now?

Apply Adobe's update immediately, prioritizing any ColdFusion server reachable from the internet. If you cannot patch within the 72-hour window Adobe recommended, take internet-facing instances offline or put them behind restrictive access controls until you can. After patching, hunt for signs of prior compromise: unexpected files in web directories, new scheduled tasks, unfamiliar outbound connections, and anomalous ColdFusion administrator activity. Because these flaws are unauthenticated, a server could already have been hit between disclosure and your patch. Patching closes the door; it does not tell you whether someone already walked through it.

What to watch · 2026
  • KEV listing. Whether CISA adds any of these CVEs to its Known Exploited Vulnerabilities catalog, which would confirm in-the-wild attacks.
  • Exploit code. Public proof-of-concept releases, which historically compress the time from disclosure to mass scanning.
  • Ransomware crews. Whether known groups add these flaws to their initial-access toolkits.

Our take

Six maximum-severity, unauthenticated code-execution bugs in one ColdFusion release is a genuinely alarming disclosure, and the 72-hour clock Adobe set is the right level of urgency. The uncomfortable truth is that many ColdFusion servers will not be patched in time, because the product tends to run in places where change control is slow and ownership is fuzzy. Those are exactly the servers attackers will find first. If you are responsible for any ColdFusion instance, treat this as an incident, not a maintenance ticket: patch now, then assume you need to prove you were not already breached.

RelatedZimbra Patches Stored-XSS RCE in Classic Web Client

Why is patch timing the whole game here?

With unauthenticated remote code execution, the window between disclosure and mass exploitation is measured in days, sometimes hours. Once a patch ships, attackers reverse-engineer it to understand the flaw, and automated scanners begin sweeping the internet for unpatched servers almost immediately. That is why Adobe’s 72-hour recommendation is not conservative boilerplate; it is a realistic estimate of how long you have before opportunistic exploitation begins in earnest. Organizations that treat critical patches as part of a monthly maintenance cadence are operating on the wrong clock for this class of bug. The right model is an emergency-response one: identify every affected server, prioritize internet-facing instances, patch or isolate them the same day, and only then work through internal systems. The organizations that get breached by flaws like these are rarely the ones that had no patch available. They are the ones that had the patch and had not applied it yet, because their change process assumed they had weeks when they had days. Build the muscle to move fast on the rare critical patch, and most of the risk from disclosures like this one simply evaporates before an attacker can use it against you.

Primary sources

Original analysis by GenZTech. Reporting via Security Online.