Adobe ColdFusion Is Being Actively Exploited Right Now. And Your MSP's Remote Access Tool Might Be Next.

Threats & Attacks

Adobe ColdFusion Is Being Actively Exploited Right Now. And Your MSP's Remote Access Tool Might Be Next.

Adobe ColdFusion just received a CVSS score of 10.0. It was being exploited in the wild within two hours of the technical details becoming public. Not two weeks. Not two days. Two hours.

That is the window your infrastructure had. If your web environment runs ColdFusion and your patch cycle runs monthly, you were already behind before you’d had your morning coffee.

Today’s episode covers two stories. Both involve active exploitation. Both have direct implications for UK small businesses, even if neither headline mentions them by name.

Adobe ColdFusion CVE-2026-48282: A Perfect Score for the Wrong Reasons

CVE-2026-48282 is a path traversal vulnerability in Adobe ColdFusion. Path traversal, explained plainly: it allows an attacker to navigate outside the directories a web application is supposed to access, reading or writing files the server was never intended to expose. In this case, the impact is remote code execution. An attacker who exploits this successfully can run arbitrary commands on the affected server.

The Canadian Centre for Cyber Security confirmed active exploitation based on open-source intelligence. According to Ryan Dewhurst of KEVIntel, the vulnerability was being used in attacks within two hours of the technical details being made public.

Adobe issued patches on 30 June 2026 as part of a broader security update addressing multiple ColdFusion vulnerabilities. Six of those vulnerabilities carried a maximum impact score. CVE-2026-48282 is the one now confirmed as actively exploited.

Why does this matter to a small business that has never heard of ColdFusion?

ColdFusion is a web application platform. It powers online portals, booking systems, customer databases, and content management tools, particularly in sectors that have not modernised their infrastructure recently: healthcare administration, legal services, local government suppliers, hospitality. If your business interacts with any web-facing system built on ColdFusion, and you would not necessarily know whether it is, the exposure is upstream of you.

More directly: if your MSP or web hosting provider runs ColdFusion on any server that touches your data, their patch status is your risk.

The two-hour exploitation timeline is the data point that matters. It tells you that scanning and weaponisation is now industrialised. Threat actors are monitoring vulnerability disclosures and deploying attacks faster than most patch management cycles can respond. Monthly patching schedules are structurally inadequate for critical severity vulnerabilities.

SimpleHelp RMM CVE-2026-48558: Your MSP’s Tooling as an Attack Vector

SimpleHelp is a remote monitoring and management (RMM) application. RMM tools are what managed service providers use to access, monitor, and manage their clients’ systems remotely. If you have an IT support contract with an MSP, there is a reasonable probability that an RMM tool, possibly SimpleHelp, is installed on your machines and gives your provider remote access.

CVE-2026-48558 allows an unauthenticated attacker to create a Technician account on a vulnerable SimpleHelp server. A Technician account has access to all managed endpoints connected to that server. The Shadowserver Foundation’s scanning data confirms that hundreds of SimpleHelp servers worldwide remain unpatched and exposed, including at least eighteen in the Netherlands at the time of reporting.

This is the supply chain attack surface that rarely gets discussed plainly in small business security conversations.

The compromise path is straightforward. An attacker identifies an unpatched SimpleHelp server. They create a Technician account without needing any credentials. They now have the same level of access to managed client systems that your MSP has. Every business connected to that MSP’s SimpleHelp server is now a potential target, regardless of how good their own internal security posture is.

A single compromised RMM server can be the entry point for simultaneous attacks across dozens of client organisations. This is not a theoretical scenario. It is the documented attack pattern used in multiple ransomware campaigns against MSPs.

The question your MSP should be able to answer immediately: which RMM platform do you use, what version are you running, and when did you last apply security patches to it?

If they cannot answer that quickly and specifically, that is a material gap in your security posture, and it is one you are currently paying for.

What the Exploitation Timeline Tells Us

Two hours from disclosure to active exploitation for ColdFusion. Hundreds of unpatched SimpleHelp servers still exposed weeks after a patch was available.

These two data points together describe the same structural problem: the gap between vulnerability disclosure and remediation is the hunting ground. Attackers are operating at machine speed on the discovery side. Defenders, particularly in under-resourced MSPs and small businesses, are operating at human speed on the response side.

The NCSC’s guidance on vulnerability management is explicit: critical and high severity vulnerabilities should be patched within defined timeframes, with particular urgency for internet-facing systems and actively exploited flaws. The NCSC also maintains a dedicated page on supply chain security that addresses exactly the risk profile created by compromised MSP tooling.

This is not about buying a new product. It is about asking specific, answerable questions of the people who manage your infrastructure.

How to Make This a Competitive Differentiator

Businesses that ask these questions of their IT providers, and document the answers, are in a materially better position than those that do not. That position is increasingly visible to clients, insurers, and procurement teams.

Cyber insurance underwriters are asking about patch management cadences and RMM tool security as standard questions on renewal. Demonstrating that you have verified your MSP’s patch status, in writing, is evidence of due diligence. That has direct implications for both coverage and premiums.

For businesses that supply larger organisations, the ability to show that you actively manage third-party risk, including your IT provider’s security posture, is a procurement differentiator. Supply chain security questionnaires routinely ask about this now.

Making the Business Case

Three points worth putting in front of a decision-maker:

The exploitation window is now measured in hours, not weeks. CVE-2026-48282 was weaponised within two hours of disclosure. Monthly patch cycles do not address this risk. A conversation with your IT provider about emergency patch procedures for critical vulnerabilities is overdue.

Your MSP’s security is your security. A compromised RMM server gives an attacker the same access your IT provider has. If that access is broad, the blast radius of a compromise is broad. You should know what access your MSP has to your systems and how they protect the tools that enable it.

Unpatched infrastructure attracts automated scanning. Threat actors do not manually search for targets. They run automated scans against known vulnerability signatures. An unpatched ColdFusion server or SimpleHelp instance will be found. The question is whether it is found by a researcher running a Shadowserver scan or by someone with less benign intentions.

What to Do Before the End of the Week

  1. Contact your IT provider today. Ask specifically whether they use SimpleHelp as their RMM tool. If they do, ask what version they are running and whether CVE-2026-48558 has been patched. Get the answer in writing.

  2. Ask about their emergency patch procedure. Monthly patching is not sufficient for critical, actively exploited vulnerabilities. Your provider should have a documented process for applying emergency patches outside of their standard cycle. If they do not, that is a gap to address contractually.

  3. Ask about ColdFusion exposure. If you have any web-facing systems, portals, or applications managed by a third party, ask whether any of them run Adobe ColdFusion. If the answer is yes, ask for confirmation that the 30 June 2026 patches have been applied.

  4. Review your MSP contract. Check what security obligations your IT provider has under your service agreement, specifically around patch management and vulnerability response timelines. If there are none, you have no contractual leverage when they fall behind.

  5. Log the conversation. Whatever answers you receive, document them with a date. This creates an audit trail that is useful for insurance purposes, client due diligence questionnaires, and your own incident response planning.

Before you go: follow the show wherever you listen, leave a rating or review, drop a comment with your thoughts, and share this episode with someone who needs to hear it. That someone is probably the person responsible for your IT contract.

SourceArticle
Canadian Centre for Cyber SecurityAdobe Security Advisory AV26-647
Adobe[Security updates available for Adobe ColdFusion
Shadowserver FoundationSimpleHelp RMM vulnerable server scanning data
The Hacker NewsThreat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure
Security.nlKritiek path traversal-lek Adobe ColdFusion actief misbruikt bij aanvallen
Security.nlNederlandse SimpleHelp RMM-servers bevatten actief misbruikt lek
NCSCSupply chain security guidance
NCSCVulnerability management guidance

Filed under

  • smb-security
  • uk-business
  • msp-security
  • supply-chain-risk
  • incident-response
  • vendor-risk
  • remote-access