CISA added CVE-2026-48282, a critical Adobe ColdFusion path traversal vulnerability, to its Known Exploited Vulnerabilities catalog on July 7, 2026, after determining that attackers are actively exploiting the flaw in the wild. The move turns what might have looked like another high-severity Adobe bulletin into an operational deadline for federal agencies and a practical fire alarm for everyone else. Adobe’s advisory, NIST’s vulnerability record, and CISA’s alert all point in the same direction: exposed ColdFusion servers now deserve immediate attention, not routine patch-cycle treatment.
The Known Exploited Vulnerabilities catalog has become one of the few government security lists that actually changes behavior. A CVE entry in a vendor advisory may be debated, triaged, deferred, or buried under the week’s competing tickets. A CVE entry in CISA’s KEV catalog means something simpler: someone is using it.
That distinction matters with CVE-2026-48282 because the vulnerability is not merely theoretical. CISA says the flaw was added based on evidence of active exploitation, and the agency’s language is deliberately plain: these vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risk to the federal enterprise. The federal wording is bureaucratic; the security message is not.
Adobe ColdFusion is not a consumer Windows component or a ubiquitous desktop app. It is older, server-side enterprise infrastructure, often found in public-sector portals, legacy business applications, and internal systems that have quietly become internet-facing over time. That is exactly the kind of software attackers like: valuable, exposed, and sometimes maintained by teams that inherited it rather than built it.
The latest KEV addition should therefore be read less as “Adobe has a bug” and more as “attackers have found a route into real ColdFusion deployments.” For WindowsForum readers running mixed Windows and application-server environments, that difference is the story.
That legacy role creates a familiar defensive trap. The server may be critical, but the institutional knowledge around it may be thin. The application owner may know the business process, the infrastructure team may know the host, and the security team may only know that a scanner occasionally reports ColdFusion build numbers with alarming red icons.
CVE-2026-48282 cuts directly through that ambiguity. According to Adobe’s security bulletin APSB26-68 and the NIST vulnerability entry, affected ColdFusion versions include ColdFusion 2025 Update 9 and earlier and ColdFusion 2023 Update 20 and earlier. The vulnerability is categorized as a path traversal issue that can lead to arbitrary code execution in the context of the current user, with no user interaction required.
That last clause is the one administrators should underline. No user interaction means this is not a phishing-dependent chain that requires an employee to open a document or click a link. If the vulnerable service is reachable and the exploit path is viable, the attacker’s conversation is with the server.
On a lightly consequential system, path traversal might mean disclosure of configuration files. On an application server with upload handlers, administrative features, template engines, or service permissions, the same class of bug can become a route to remote code execution. That is why the CVSS vector matters here: network attack vector, low complexity, no privileges required, and no user interaction.
Security firms tracking the issue have described CVE-2026-48282 as a path traversal vulnerability leading to remote code execution, and Help Net Security reported that attackers may be able to achieve code execution by sending specially crafted HTTP requests. Resecurity has separately described exploitation activity involving ColdFusion’s Remote Development Services file handling. Those reports add operational color, but CISA’s KEV addition is the escalation that should settle the patch-priority debate.
The lesson for defenders is that vulnerability names are not risk ratings. A “path traversal” bug in a static file server and a “path traversal” bug in an enterprise application platform are not the same operational problem. Context is what turns a class of weakness into an incident.
That is a more mature model than the old “patch everything critical first” doctrine. Severity scores are useful, but they are not reality. A critical vulnerability in a lab-only service may matter less than a medium-severity flaw in a public identity gateway that attackers are actively chaining.
The CVE-2026-48282 entry fits the new model almost too cleanly. It is remotely reachable in affected configurations, has a maximum CVSS score, needs no authentication, and is now in CISA’s catalog because exploitation is active. For federal agencies, that combination narrows the room for negotiation.
For private organizations, BOD 26-04 is not binding, but it is still useful as a policy template. If your vulnerability management program treats KEV as just another enrichment field in a scanner, it is wasting one of the better signals available. A KEV match on a public-facing server should create a different workflow than a generic CVSS 10 finding on an isolated host.
That is not a bureaucratic extra step. With a remotely exploitable server-side vulnerability, compromise can precede public awareness. Adobe’s bulletin appeared on June 30, 2026. CISA added the vulnerability to KEV on July 7, 2026. Active exploitation was confirmed by the time of the CISA action, but defenders should not assume exploitation began only when the catalog changed.
The practical response starts with exposure mapping. Security teams need to identify every ColdFusion instance, including forgotten development servers, migration staging boxes, and systems shielded only by weak network assumptions. The internet-facing servers are first, but internal ColdFusion systems should not be dismissed if they are reachable from compromised workstations, VPN networks, or partner connections.
Then comes version validation. Asset inventories lie, scanner fingerprints get stale, and application owners often remember the major version but not the update level. The affected range named in public vulnerability records includes ColdFusion 2025 Update 9 and earlier and ColdFusion 2023 Update 20 and earlier, so defenders need actual update-state evidence, not a spreadsheet cell that says “ColdFusion 2023.”
If a ColdFusion service account has broad file-share access, database rights, or local administrative privileges, exploitation can become more than application compromise. It can become a foothold into the rest of the Windows estate. That is why “arbitrary code execution in the context of the current user” is such a loaded phrase.
The “current user” might be tightly constrained in a well-hardened deployment. It might also be a legacy service account with permissions granted over a decade of urgent fixes. Attackers do not need every environment to be misconfigured. They need enough of them to be misconfigured.
This is where Windows-centric operations teams can add immediate value. Review the service identity. Check local group membership. Inspect file-share permissions. Confirm whether ColdFusion can write to web-accessible directories. Look at EDR telemetry around the host, not just web logs around the application.
For an internet-facing ColdFusion server, that may mean patching immediately, restricting access, disabling risky services, or temporarily placing controls in front of vulnerable endpoints while the update is validated. It may also mean taking a brittle but exposed legacy application offline for a short period if the alternative is leaving a known exploited RCE path reachable from the internet.
The decision is uncomfortable because ColdFusion applications are often business-critical. They may support public services, payment flows, case management, or regulatory submissions. But attackers know this too, and public-facing legacy application platforms have repeatedly become ransomware entry points and data-theft staging areas.
The right question is not whether patching is convenient. The right question is whether the organization can explain, after an incident, why a CISA KEV-listed, actively exploited, unauthenticated code-execution vulnerability remained exposed.
That gap between vendor patch and operational safety is where many incidents live. A security bulletin says “update.” A real environment says the application depends on an old connector, the developer who wrote the custom tag library has retired, and the disaster-recovery host is three updates behind because it was never included in the primary maintenance runbook.
ColdFusion’s history compounds the issue. The platform has seen serious vulnerabilities before, including earlier flaws that drew CISA attention and emergency patching. That does not make ColdFusion uniquely doomed; it makes it a normal enterprise platform with a long attack surface and long-lived deployments.
But defenders should be honest about what legacy application platforms require. They need disciplined update processes, hardened configurations, restricted administrative interfaces, monitored service accounts, and documented ownership. If no one owns the ColdFusion estate, attackers eventually will.
A ColdFusion server behind a modern reverse proxy is still a ColdFusion server. A ColdFusion administrator interface reachable only through a VPN is still reachable if the VPN account is compromised. A development instance exposed “temporarily” for testing is still indexed, scanned, and logged by adversaries that do not care what the change ticket said.
Security teams should assume that proof-of-concept activity, mass scanning, and opportunistic exploitation will cluster around this CVE now that it has KEV visibility. Even if a given exploit path is not widely commoditized on day one, the public ingredients are attractive: maximum severity, no authentication, no user interaction, and a known enterprise target.
This is also where defenders should separate patch status from exposure status. A server can be patched but still misconfigured. A server can be unpatched but temporarily shielded by effective network controls. The best answer is patched and hardened, but during an emergency the order of risk reduction matters.
The investigation should look for more than a single exploit string. Attackers often test, fail, adapt, and return. A few unusual HTTP requests may be the first visible step before file upload, web shell placement, credential access, or lateral movement.
On Windows Server hosts, process lineage can be especially revealing. If the ColdFusion service spawned command shells, scripting engines, archive tools, PowerShell, certutil, bitsadmin, or unexpected network utilities, that deserves immediate escalation. The absence of a dramatic alert does not mean the absence of compromise.
Credential hygiene also belongs in the response. If the ColdFusion process had access to database passwords, API keys, service account credentials, or configuration secrets, teams should treat those secrets as potentially exposed if exploitation is suspected. Rotating credentials after containment is tedious. Explaining why attackers used a harvested password three weeks later is worse.
That sounds elementary until a live vulnerability proves otherwise. Many vulnerability management programs are optimized for generating counts, not decisions. They can say there are 42 critical findings, but not which two sit on internet-facing systems with unauthenticated exploit paths and domain-adjacent permissions.
CISA’s risk-based model is a push against that failure mode. KEV is not meant to be a trophy case of bad bugs; it is meant to drive prioritization. The catalog’s value rises when organizations wire it into asset context, exposure management, patch orchestration, and incident response.
For a Windows-heavy enterprise, that means KEV entries should flow into the same operational fabric as Patch Tuesday, Defender alerts, identity monitoring, and change management. Application-server vulnerabilities do not respect internal team boundaries. Attackers certainly do not.
These systems are attractive because they sit near valuable data and often enjoy high trust. They are reachable enough to be useful, privileged enough to matter, and old enough to contain sedimentary layers of configuration decisions. When a bug appears in that class of product, defenders should assume impact before they assume inconvenience.
The industry’s vulnerability language still struggles with this reality. A CVSS score says one thing. A KEV listing says another. An internet-facing deployment with weak service-account boundaries says something louder than both.
That is why the CISA action is consequential even outside federal networks. It helps cut through the abstraction. This is not merely a critical vulnerability. It is a critical vulnerability now associated with active exploitation, in a platform that commonly fronts real business processes.
CISA’s Catalog Is Now the Security Industry’s Shortest Red Alert
The Known Exploited Vulnerabilities catalog has become one of the few government security lists that actually changes behavior. A CVE entry in a vendor advisory may be debated, triaged, deferred, or buried under the week’s competing tickets. A CVE entry in CISA’s KEV catalog means something simpler: someone is using it.That distinction matters with CVE-2026-48282 because the vulnerability is not merely theoretical. CISA says the flaw was added based on evidence of active exploitation, and the agency’s language is deliberately plain: these vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risk to the federal enterprise. The federal wording is bureaucratic; the security message is not.
Adobe ColdFusion is not a consumer Windows component or a ubiquitous desktop app. It is older, server-side enterprise infrastructure, often found in public-sector portals, legacy business applications, and internal systems that have quietly become internet-facing over time. That is exactly the kind of software attackers like: valuable, exposed, and sometimes maintained by teams that inherited it rather than built it.
The latest KEV addition should therefore be read less as “Adobe has a bug” and more as “attackers have found a route into real ColdFusion deployments.” For WindowsForum readers running mixed Windows and application-server environments, that difference is the story.
ColdFusion’s Legacy Footprint Is the Point, Not a Footnote
ColdFusion occupies a strange place in enterprise computing. It is neither obscure enough to be ignored by attackers nor fashionable enough to dominate modern DevSecOps dashboards. Many organizations still depend on it precisely because it has been dependable for years: government forms, business workflows, customer portals, reporting systems, and administrative tools built long before “cloud native” became a purchasing requirement.That legacy role creates a familiar defensive trap. The server may be critical, but the institutional knowledge around it may be thin. The application owner may know the business process, the infrastructure team may know the host, and the security team may only know that a scanner occasionally reports ColdFusion build numbers with alarming red icons.
CVE-2026-48282 cuts directly through that ambiguity. According to Adobe’s security bulletin APSB26-68 and the NIST vulnerability entry, affected ColdFusion versions include ColdFusion 2025 Update 9 and earlier and ColdFusion 2023 Update 20 and earlier. The vulnerability is categorized as a path traversal issue that can lead to arbitrary code execution in the context of the current user, with no user interaction required.
That last clause is the one administrators should underline. No user interaction means this is not a phishing-dependent chain that requires an employee to open a document or click a link. If the vulnerable service is reachable and the exploit path is viable, the attacker’s conversation is with the server.
Path Traversal Sounds Boring Until It Becomes Code Execution
Path traversal is one of those vulnerability classes whose name undersells its danger. At its simplest, it means software fails to properly confine file paths to the directories it meant to allow. In practice, that can let attackers reach files, write files, or manipulate server-side behavior outside the expected boundary.On a lightly consequential system, path traversal might mean disclosure of configuration files. On an application server with upload handlers, administrative features, template engines, or service permissions, the same class of bug can become a route to remote code execution. That is why the CVSS vector matters here: network attack vector, low complexity, no privileges required, and no user interaction.
Security firms tracking the issue have described CVE-2026-48282 as a path traversal vulnerability leading to remote code execution, and Help Net Security reported that attackers may be able to achieve code execution by sending specially crafted HTTP requests. Resecurity has separately described exploitation activity involving ColdFusion’s Remote Development Services file handling. Those reports add operational color, but CISA’s KEV addition is the escalation that should settle the patch-priority debate.
The lesson for defenders is that vulnerability names are not risk ratings. A “path traversal” bug in a static file server and a “path traversal” bug in an enterprise application platform are not the same operational problem. Context is what turns a class of weakness into an incident.
BOD 26-04 Turns KEV From a List Into a Deadline Machine
CISA’s alert also invokes Binding Operational Directive 26-04, the agency’s current framework for prioritizing security updates based on risk. The directive applies to Federal Civilian Executive Branch agencies, but its influence is larger than the federal acronym soup suggests. It tells agencies to prioritize rapid remediation for high-risk vulnerabilities, particularly KEV-listed CVEs on publicly exposed assets where exploitation can grant total control.That is a more mature model than the old “patch everything critical first” doctrine. Severity scores are useful, but they are not reality. A critical vulnerability in a lab-only service may matter less than a medium-severity flaw in a public identity gateway that attackers are actively chaining.
The CVE-2026-48282 entry fits the new model almost too cleanly. It is remotely reachable in affected configurations, has a maximum CVSS score, needs no authentication, and is now in CISA’s catalog because exploitation is active. For federal agencies, that combination narrows the room for negotiation.
For private organizations, BOD 26-04 is not binding, but it is still useful as a policy template. If your vulnerability management program treats KEV as just another enrichment field in a scanner, it is wasting one of the better signals available. A KEV match on a public-facing server should create a different workflow than a generic CVSS 10 finding on an isolated host.
The Patch Is Necessary, but the Timeline Is the Real Investigation
The most dangerous mistake after a KEV addition is to treat patching as the entire response. Patching closes the door, but it does not tell you whether someone already walked through it. CISA’s alert explicitly notes that BOD 26-04 establishes expectations for checking whether threat actors compromised a system before the patch was applied.That is not a bureaucratic extra step. With a remotely exploitable server-side vulnerability, compromise can precede public awareness. Adobe’s bulletin appeared on June 30, 2026. CISA added the vulnerability to KEV on July 7, 2026. Active exploitation was confirmed by the time of the CISA action, but defenders should not assume exploitation began only when the catalog changed.
The practical response starts with exposure mapping. Security teams need to identify every ColdFusion instance, including forgotten development servers, migration staging boxes, and systems shielded only by weak network assumptions. The internet-facing servers are first, but internal ColdFusion systems should not be dismissed if they are reachable from compromised workstations, VPN networks, or partner connections.
Then comes version validation. Asset inventories lie, scanner fingerprints get stale, and application owners often remember the major version but not the update level. The affected range named in public vulnerability records includes ColdFusion 2025 Update 9 and earlier and ColdFusion 2023 Update 20 and earlier, so defenders need actual update-state evidence, not a spreadsheet cell that says “ColdFusion 2023.”
Windows Shops Should Resist the “Not Our Platform” Reflex
For many Windows administrators, ColdFusion can feel like an application-team problem. It should not. ColdFusion commonly runs in environments deeply intertwined with Windows infrastructure: IIS front ends, Windows Server hosts, Active Directory service accounts, SMB shares, SQL Server back ends, and scheduled tasks built years ago by people who have since changed roles twice.If a ColdFusion service account has broad file-share access, database rights, or local administrative privileges, exploitation can become more than application compromise. It can become a foothold into the rest of the Windows estate. That is why “arbitrary code execution in the context of the current user” is such a loaded phrase.
The “current user” might be tightly constrained in a well-hardened deployment. It might also be a legacy service account with permissions granted over a decade of urgent fixes. Attackers do not need every environment to be misconfigured. They need enough of them to be misconfigured.
This is where Windows-centric operations teams can add immediate value. Review the service identity. Check local group membership. Inspect file-share permissions. Confirm whether ColdFusion can write to web-accessible directories. Look at EDR telemetry around the host, not just web logs around the application.
Exploitation Evidence Changes the Order of Operations
A normal patch process asks whether a fix is available, whether it breaks anything, and when the next maintenance window opens. A KEV-listed, actively exploited server flaw asks a harsher question: what is the shortest safe path to reducing exposure?For an internet-facing ColdFusion server, that may mean patching immediately, restricting access, disabling risky services, or temporarily placing controls in front of vulnerable endpoints while the update is validated. It may also mean taking a brittle but exposed legacy application offline for a short period if the alternative is leaving a known exploited RCE path reachable from the internet.
The decision is uncomfortable because ColdFusion applications are often business-critical. They may support public services, payment flows, case management, or regulatory submissions. But attackers know this too, and public-facing legacy application platforms have repeatedly become ransomware entry points and data-theft staging areas.
The right question is not whether patching is convenient. The right question is whether the organization can explain, after an incident, why a CISA KEV-listed, actively exploited, unauthenticated code-execution vulnerability remained exposed.
Adobe’s Advisory Solves the Software Problem, Not the Estate Problem
Adobe’s role is to ship the fix and document affected versions. The enterprise problem is messier. Organizations have to find the servers, test the update, coordinate application owners, watch for regressions, and determine whether exploitation occurred before remediation.That gap between vendor patch and operational safety is where many incidents live. A security bulletin says “update.” A real environment says the application depends on an old connector, the developer who wrote the custom tag library has retired, and the disaster-recovery host is three updates behind because it was never included in the primary maintenance runbook.
ColdFusion’s history compounds the issue. The platform has seen serious vulnerabilities before, including earlier flaws that drew CISA attention and emergency patching. That does not make ColdFusion uniquely doomed; it makes it a normal enterprise platform with a long attack surface and long-lived deployments.
But defenders should be honest about what legacy application platforms require. They need disciplined update processes, hardened configurations, restricted administrative interfaces, monitored service accounts, and documented ownership. If no one owns the ColdFusion estate, attackers eventually will.
The Internet Edge Is Where Theory Becomes Exposure
CISA’s BOD 26-04 language emphasizes publicly exposed assets for a reason. The internet edge is no longer just firewalls and VPN concentrators. It is a sprawling layer of web apps, API gateways, load balancers, remote management panels, forgotten staging hosts, and vendor-operated services.A ColdFusion server behind a modern reverse proxy is still a ColdFusion server. A ColdFusion administrator interface reachable only through a VPN is still reachable if the VPN account is compromised. A development instance exposed “temporarily” for testing is still indexed, scanned, and logged by adversaries that do not care what the change ticket said.
Security teams should assume that proof-of-concept activity, mass scanning, and opportunistic exploitation will cluster around this CVE now that it has KEV visibility. Even if a given exploit path is not widely commoditized on day one, the public ingredients are attractive: maximum severity, no authentication, no user interaction, and a known enterprise target.
This is also where defenders should separate patch status from exposure status. A server can be patched but still misconfigured. A server can be unpatched but temporarily shielded by effective network controls. The best answer is patched and hardened, but during an emergency the order of risk reduction matters.
Compromise Assessment Is Not Optional Busywork
Once a vulnerable ColdFusion server is identified, administrators should preserve and inspect relevant evidence rather than racing straight through a patch without a look backward. Web access logs, ColdFusion logs, application logs, file modification times, newly written templates, unexpected archives, suspicious scheduled tasks, and strange child processes all matter.The investigation should look for more than a single exploit string. Attackers often test, fail, adapt, and return. A few unusual HTTP requests may be the first visible step before file upload, web shell placement, credential access, or lateral movement.
On Windows Server hosts, process lineage can be especially revealing. If the ColdFusion service spawned command shells, scripting engines, archive tools, PowerShell, certutil, bitsadmin, or unexpected network utilities, that deserves immediate escalation. The absence of a dramatic alert does not mean the absence of compromise.
Credential hygiene also belongs in the response. If the ColdFusion process had access to database passwords, API keys, service account credentials, or configuration secrets, teams should treat those secrets as potentially exposed if exploitation is suspected. Rotating credentials after containment is tedious. Explaining why attackers used a harvested password three weeks later is worse.
The KEV Signal Rewards Organizations That Already Know Their Assets
The organizations best positioned to respond to CVE-2026-48282 are not necessarily the ones with the most expensive tools. They are the ones that can answer basic questions quickly: where ColdFusion runs, which versions are installed, which systems are exposed, who owns them, what accounts they use, and what normal behavior looks like.That sounds elementary until a live vulnerability proves otherwise. Many vulnerability management programs are optimized for generating counts, not decisions. They can say there are 42 critical findings, but not which two sit on internet-facing systems with unauthenticated exploit paths and domain-adjacent permissions.
CISA’s risk-based model is a push against that failure mode. KEV is not meant to be a trophy case of bad bugs; it is meant to drive prioritization. The catalog’s value rises when organizations wire it into asset context, exposure management, patch orchestration, and incident response.
For a Windows-heavy enterprise, that means KEV entries should flow into the same operational fabric as Patch Tuesday, Defender alerts, identity monitoring, and change management. Application-server vulnerabilities do not respect internal team boundaries. Attackers certainly do not.
The ColdFusion Lesson Is Really About Legacy Web Risk
It would be easy to frame CVE-2026-48282 as a narrow Adobe story. That would miss the broader pattern. The most dangerous enterprise vulnerabilities increasingly sit in the places where old assumptions meet new exposure: legacy web platforms, administrative services, file transfer systems, remote access appliances, and business-critical middleware.These systems are attractive because they sit near valuable data and often enjoy high trust. They are reachable enough to be useful, privileged enough to matter, and old enough to contain sedimentary layers of configuration decisions. When a bug appears in that class of product, defenders should assume impact before they assume inconvenience.
The industry’s vulnerability language still struggles with this reality. A CVSS score says one thing. A KEV listing says another. An internet-facing deployment with weak service-account boundaries says something louder than both.
That is why the CISA action is consequential even outside federal networks. It helps cut through the abstraction. This is not merely a critical vulnerability. It is a critical vulnerability now associated with active exploitation, in a platform that commonly fronts real business processes.
The ColdFusion Fire Drill Has a Short Checklist and a Long Shadow
CVE-2026-48282 does not require every organization to panic. It does require organizations using ColdFusion to move with the seriousness of an active exploitation event. The distinction is discipline.- Organizations should identify all Adobe ColdFusion instances, including development, staging, disaster-recovery, and internally hosted systems that may not appear in primary asset inventories.
- Administrators should confirm whether any deployment runs ColdFusion 2025 Update 9 or earlier, or ColdFusion 2023 Update 20 or earlier, and apply Adobe’s fixed updates according to the vendor guidance.
- Security teams should prioritize internet-facing ColdFusion servers and any systems reachable from VPN, partner, or semi-trusted network paths.
- Responders should review logs and host telemetry for signs of exploitation before assuming that patching alone has resolved the risk.
- Windows administrators should audit the ColdFusion service account, local privileges, file-share access, database permissions, and any suspicious process activity on affected hosts.
- Organizations should treat the CISA KEV listing as a trigger for emergency prioritization, not as another scanner annotation to be reviewed at the next monthly meeting.
References
- Primary source: CISA
Published: 2026-07-07T12:00:00+00:00
- Related coverage: securityvulnerability.io
CVE-2026-48282 : Path Traversal Vulnerability in Adobe ColdFusion Products
Explore the Path Traversal vulnerability affecting Adobe ColdFusion products, potentially leading to code execution. Learn more about CVE-2026-48282.securityvulnerability.io - Related coverage: dbugs.ptsecurity.com
CVE-2026-48282 — Remote Code Execution in Adobe Coldfusion | dbugs
Details on CVE-2026-48282: Remote Code Execution in Adobe Coldfusion. Includes CVSS score, affected versions, and references.dbugs.ptsecurity.com - Related coverage: digital.nhs.uk
Active Exploitation of CVE-2026-48282 in Adobe ColdFusion - NHS England Digital
Successful exploitation could allow an unauthenticated attacker to perform arbitrary code execution in the context of the current userdigital.nhs.uk - Related coverage: caloes.ca.gov
- Related coverage: labs.cloudsecurityalliance.org
CISA KEV Alert: Fortinet, Adobe, and Microsoft Under Attack
PDF documentlabs.cloudsecurityalliance.org