How is CVE-2026-47928 exploited?

Network reachability (info): The attacker must be on an adjacent network (shared LAN, VPN segment, or cloud subnet) to reach the ColdFusion service; remote internet-based access is not sufficient on its own. Authentication (not-required): No credentials of any kind are needed; the attacker can target the service anonymously. Victim interaction (not-required): The exploit completes without any action from a logged-in user or administrator. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory-layout dependencies, or environmental prerequisites are required.

What is the impact of CVE-2026-47928?

Attacker executes arbitrary code in the context of the ColdFusion server process, gaining an interactive foothold on the host. All data readable by the ColdFusion process is exposed, including database credentials, session tokens, and application configuration files. Attacker can write, modify, or delete files and database records accessible to the process. Because scope is changed (S:C in the CVSS vector), the attacker can pivot beyond the ColdFusion process boundary and affect other components or services sharing the same host or network segment.

Back to search

CRITICALCVE-2026-47928Published 2026-06-09Modified 2026-06-11CNA adobe

CVE-2026-47928: ColdFusion | Improper Input Validation (CWE-20)

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

CVSS v3.1: 9.6
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Improper input validation in Adobe ColdFusion (versions 2025.8 and earlier, including 2023.19 and earlier) allows an unauthenticated attacker on the same network segment to execute arbitrary code on the server. No credentials and no victim interaction are needed; the attacker only needs to reach the ColdFusion service from an adjacent network such as a shared LAN, VPN, or cloud subnet. Successful exploitation gives the attacker full code execution, read access to all data the process can reach, and the ability to modify or destroy it. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available the moment Adobe publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images layered on top of Adobe ColdFusion base images. Any image containing an affected ColdFusion version (2025.8 or earlier) is flagged immediately on ingest.

Available

Triage

HarborGuard scores this CVE at CVSS 9.6 Critical and weights it against each environment's compliance policy to determine routing priority. Triage findings are delivered to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Adobe releases a remediated ColdFusion version. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be on an adjacent network (shared LAN, VPN segment, or cloud subnet) to reach the ColdFusion service; remote internet-based access is not sufficient on its own.
AuthenticationNot required
No credentials of any kind are needed; the attacker can target the service anonymously.
Victim interactionNot required
The exploit completes without any action from a logged-in user or administrator.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory-layout dependencies, or environmental prerequisites are required.

Blast Radius

Attacker executes arbitrary code in the context of the ColdFusion server process, gaining an interactive foothold on the host.
All data readable by the ColdFusion process is exposed, including database credentials, session tokens, and application configuration files.
Attacker can write, modify, or delete files and database records accessible to the process.
Because scope is changed (S:C in the CVSS vector), the attacker can pivot beyond the ColdFusion process boundary and affect other components or services sharing the same host or network segment.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47928 is active across all customer environments and any image running ColdFusion 2025.8 or earlier is flagged at the Critical severity tier. Because Adobe has not yet published a fix version, HarborGuard monitors the advisory on every ingest cycle and will trigger the auto-remediation pipeline (rebuild, regression test, PR to affected workloads) the instant a patched release is confirmed, for customers who have auto-remediation enabled. In the interim, recommended compensating controls include applying network-policy rules to restrict adjacency to the ColdFusion service (limiting which subnets or pods can reach it), enabling egress filtering to contain lateral movement if the host is compromised, and using a feature flag or WAF rule to block malformed input patterns at the perimeter where possible. Customers should monitor the Adobe security bulletin (APSB-series) for fix publication.

See how HarborGuard automates this

Affected packages

Adobe / ColdFusion
≤ 2025.8

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified