Adobe has released security updates addressing several Adobe ColdFusion vulnerabilities and a critical flaw in Adobe Campaign Classic that could allow attackers to execute arbitrary code on vulnerable systems. Although the company has not observed active exploitation, it warns that the affected vulnerabilities carry a high risk of future attacks and urges administrators to deploy the patches as quickly as possible.

The latest release fixes seven maximum-severity vulnerabilities across the two enterprise products, all of which can be exploited through low-complexity attacks that require no user interaction.

Adobe Fixes Multiple Critical ColdFusion Vulnerabilities

Adobe patched six critical vulnerabilities affecting ColdFusion versions 2025.9, 2023.20, and earlier.

The flaws are tracked as:

  • CVE-2026-48276
  • CVE-2026-48277
  • CVE-2026-48281
  • CVE-2026-48316
  • CVE-2026-48282
  • One additional maximum-severity ColdFusion vulnerability included in the latest update

According to Adobe, attackers can exploit these vulnerabilities without authentication to achieve remote code execution on unpatched servers.

The company assigned all six flaws a Priority 1 rating, indicating they have a high likelihood of becoming targets for exploitation and should receive immediate attention from administrators.

Adobe Campaign Vulnerability Also Enables Code Execution

Adobe also fixed CVE-2026-48286, a maximum-severity vulnerability affecting Adobe Campaign Classic version 7.4.3 build 9396 and earlier.

Successful exploitation could allow an attacker to execute arbitrary code within the context of the current user.

The company clarified that the vulnerability affects only on-premises Campaign Classic deployments, including hybrid environments that use on-premises components.

Adobe-hosted Campaign instances already received the necessary security updates before the public disclosure.

Adobe Recommends Installing Updates Within 72 Hours

Although Adobe says it has not detected active exploitation of any of the newly patched vulnerabilities, the company still recommends installing the updates within 72 hours because of their high severity and elevated risk.

All seven vulnerabilities can be exploited through low-complexity attacks and do not require user interaction, making them attractive targets once proof-of-concept exploits become publicly available.

Adobe says administrators should prioritize these updates to reduce the risk of remote compromise.

Adobe Speeds Up Security Update Schedule

Alongside the latest security release, Adobe announced changes to how it publishes future security advisories.

Beginning July 14, 2026, the company will move from a monthly release schedule to twice-monthly security bulletins, publishing updates on the second and fourth Tuesday of each month.

Adobe says the change will allow it to deliver security fixes more quickly while maintaining its existing out-of-band process for actively exploited zero-day vulnerabilities.

The announcement follows several recent security incidents involving Adobe software. In April, the company released emergency patches for a zero-day vulnerability in Acrobat Reader that attackers had exploited since at least December.

Adobe products also remain a frequent target for threat actors. Over the past five years, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 79 Adobe vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including 10 flaws that ransomware groups have used in real-world attacks.


0 responses to “Adobe Patches Critical ColdFusion and Campaign Vulnerabilities”