Threat Analysis: Adobe ColdFusion CVE-2026-48282 and the Fake Helpdesk Wave Hitting UK Businesses

Threats & Attacks

Threat Analysis: Adobe ColdFusion CVE-2026-48282 and the Fake Helpdesk Wave Hitting UK Businesses

Hello, Mauven here.

This is your Daily Threat Analysis for 6th July 2026.

Two threats on the board today. One is a software vulnerability being actively exploited right now. The other is a criminal group that does not bother with software at all, it just phones your staff and asks politely. Both are working. Neither requires a particularly sophisticated target.


Adobe ColdFusion CVE-2026-48282: Patch It Today, Not This Week

The Canadian Centre for Cyber Security confirmed on Thursday that CVE-2026-48282, a maximum-severity vulnerability in Adobe ColdFusion, is now being actively exploited in attacks. Maximum severity means CVSS 10.0. That is not a number you see often, and when you do, it means the flaw allows unauthenticated remote code execution: an attacker who can reach the server does not need a username, a password, or any existing foothold. They send a crafted request and they are in.

Adobe published a patch. The CCCS issued an alert. BleepingComputer has confirmed active exploitation.

What the advisory does not spell out is the exposure profile for UK SMBs. ColdFusion is not cutting-edge technology, it has been around since 1995, but it has a long tail. It turns up in legacy internal applications, in websites built by agencies a decade ago, and in hosted environments where the customer has no idea what the underlying stack looks like. If your business website was built by a third party and you have never had a conversation about the technology it runs on, this is the moment to have it.

It also turns up in managed service provider environments. If your MSP manages web hosting for multiple clients on shared infrastructure, one unpatched instance creates exposure across the entire customer base. Ask the question.

What to do:

  • Check with your web hosting provider, MSP, or internal IT team whether ColdFusion appears anywhere in your stack
  • If it does, apply Adobe’s patch immediately, do not wait for the next scheduled maintenance window
  • If you are running ColdFusion and cannot patch immediately, restrict external access to the server at the network level while you arrange the patch
  • If you are a managed service provider, treat this as an emergency across your client portfolio

Pink (CL-CRI-1147): When the Threat Just Calls You Up

While the ColdFusion story is a software problem, the second threat today is a people problem, which is considerably harder to patch.

A criminal group tracked as Pink, designated cluster CL-CRI-1147 by researchers, has been running a vishing operation targeting organisations through what amounts to confident social engineering. The gang phones employees, impersonates the IT helpdesk, and convinces them to share credentials and actively bypass their own multi-factor authentication. Once inside, they exfiltrate data from SharePoint and OneDrive, then issue a 72-hour ransom demand threatening to publish the stolen information.

This is the same basic playbook as UNC3753, which ran a comparable campaign against US law firms from January through May 2026, voice phishing, IT impersonation, screen-sharing sessions, remote monitoring tools. The tactics are documented. The NCSC has published guidance on social engineering. Organisations keep falling for it.

The reason it keeps working is straightforward: employees are trained to be helpful, especially to IT staff. When someone calls sounding authoritative and competent, explains there is a security incident affecting the employee’s account, and asks them to confirm their credentials and approve an MFA notification to resolve it quickly, many people do exactly that. The psychological architecture of the attack is sound. It exploits trust, urgency, and the desire to be a cooperative colleague.

The advisory on Pink notes 72-hour demands and targets cloud storage. What it does not say is that the exfiltration often happens within hours of the initial call. By the time the ransom note arrives, the data has already left the building.

What to do:

  • Brief every member of staff today on one rule: IT will never call and ask for your password, your MFA code, or ask you to approve an authentication notification you did not initiate. If that call comes, hang up and report it
  • Verify that your IT helpdesk has a callback number that staff know to use for verification
  • Review SharePoint and OneDrive audit logs for bulk downloads or unusual access patterns, particularly outside business hours
  • If you use conditional access policies in Microsoft 365, check they are configured to flag or block access from unexpected locations or devices

The Pattern Worth Noting

These two threats look different on the surface. One is technical exploitation of unpatched software. The other is social engineering that requires no technical skill at all beyond a phone and reasonable confidence.

But they share a structural feature that matters for SMBs: neither discriminates based on the size of the target. Automated scanning finds unpatched ColdFusion instances regardless of whether they belong to a FTSE 100 company or a regional solicitors’ firm. And a vishing caller does not check Companies House before dialling, they call the number on the website and work from there.

The ClickFix malware ecosystem, BabaDeda loader, Deno abuse to CastleRAT, is also worth flagging in background. The pattern of embedding malicious instructions inside apparently legitimate installer flows and browser prompts continues to evolve, and the entry point is consistently the same: someone clicks something they were persuaded was benign. That is the thread connecting all three stories today.


Sources

SourcePublicationLink
BleepingComputerMax severity Adobe ColdFusion flaw now exploited in attackshttps://www.bleepingcomputer.com/news/security/max-severity-adobe-coldfusion-flaw-now-exploited-in-attacks/
Canadian Centre for Cyber SecurityAlert: Active exploitation of CVE-2026-48282https://www.bleepingcomputer.com/news/security/max-severity-adobe-coldfusion-flaw-now-exploited-in-attacks/
The RegisterPink is the latest goon squad to use fake helpdesk calls to steal credshttps://www.theregister.com/cyber-crime/2026/06/04/pink-is-the-latest-goon-squad-to-use-fake-helpdesk-calls-to-steal-creds/5251434
Google Cloud Threat IntelligenceSeeking Counsel: Ongoing Targeted Campaign Against US Law Firmshttps://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms
MorphisecWhat Is the BabaDeda Loader? Analysis of a New ClickFix Malware Campaignhttps://www.morphisec.com/blog/what-is-the-babadeda-loader-analysis-of-a-new-clickfix-malware-campaign/

If Threat Analysis is useful to you, follow the show wherever you listen, tomorrow’s briefing lands automatically. And if someone in your team needs the heads-up on what is actually happening out there, pass this along to them. They will thank you for it.

Filed under

  • smb-security
  • uk-business
  • social-engineering
  • credential-theft
  • vendor-risk
  • remote-access
  • incident-response