369/69 Tuesday, July 7, 2026

Security researchers have disclosed that attackers are actively exploiting a Critical vulnerability, tracked as CVE-2026-58034, in Adobe ColdFusion to target unpatched servers. Adobe has raised the vulnerability to Priority 1 and confirmed that it has been exploited in attacks. The vulnerability has a CVSS score of 10.0 and could allow attackers to execute unauthorized code on affected servers.
The vulnerability is caused by a Deserialization of Untrusted Data issue, which allows attackers to send specially crafted data to a ColdFusion server to execute code with the privileges of the running service. Adobe has not disclosed additional technical details or attack methods because the vulnerability has already been observed in active exploitation. The flaw affects Adobe ColdFusion 2025 versions before Update 4, ColdFusion 2023 versions before Update 16, and ColdFusion 2021 versions before Update 22.
Administrators using Adobe ColdFusion should promptly update to the fixed versions provided by the vendor. They should also review event logs and monitor for suspicious activity on servers, especially unauthorized command execution, the creation of unknown files or processes, and unusual outbound connections to external destinations. In addition, access to services from the internet should be restricted to only what is necessary in order to reduce the risk of exploitation through this vulnerability.
