Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | Adobe ColdFusion and Campaign Classic: Critical RCE Flaws Among Multiple CVSS 10.0 Issues
Jul 01, 2026
4 Mins Read
Moon

Adobe ColdFusion and Campaign Classic: Critical RCE Flaws Among Multiple CVSS 10.0 Issues

Adobe has published two “Priority 1” security bulletins, covering a total of 12 vulnerabilities in Adobe ColdFusion and Adobe Campaign Classic (ACC). Both advisories address vulnerabilities with critical impact, including CVSS 10.0 Remote Code Execution (RCE) scenarios.

Adobe also states it is not aware of any exploits in the wild for the issues fixed in either bulletin as of publication.

What Was Patched in APSB26-68 (Adobe ColdFusion)

APSB26-68 covers ColdFusion vulnerabilities across multiple bug classes that frequently appear in compromise chains for server-side web platforms, including unrestricted file upload, input validation flaws, path traversal, server-side request forgery (SSRF), and reflected cross-site scripting (XSS).

ColdFusion CVEs and Impact Summary

The most urgent issues in Adobe ColdFusion are the six CVSS 10.0 vulnerabilities, all of which can lead to remote code execution:

  • CVE-2026-48276 (CVSS 10.0) — Unrestricted File Upload
  • CVE-2026-48277 (CVSS 10.0) — Improper Input Validation
  • CVE-2026-48281 (CVSS 10.0) — Improper Input Validation
  • CVE-2026-48316 (CVSS 10.0) — Improper Input Validation
  • CVE-2026-48282 (CVSS 10.0) — Path Traversal
  • CVE-2026-48283 (CVSS 10.0) — Unrestricted File Upload

Details of CVE-2026-48276 (SOCRadar Vulnerability Intelligence)

Details of CVE-2026-48276 (SOCRadar Vulnerability Intelligence)

Beyond those, Adobe also lists other high-severity issues. CVE-2026-48313 (CVSS 9.3) is an Arbitrary File Read vulnerability, and CVE-2026-48315 (CVSS 9.3) is a Privilege Escalation vulnerability. Additional notable issues include CVE-2026-48307 (CVSS 8.8), CVE-2026-48285 (CVSS 8.6), and CVE-2026-48314 (CVSS 6.5).

Which ColdFusion Versions Are Affected?

  • ColdFusion 2025 Update 9 and earlier → upgrade to Update 10
  • ColdFusion 2023 Update 20 and earlier → upgrade to Update 21

What Adobe Patched in APSB26-69 (Campaign Classic)

APSB26-69 addresses a single maximum-severity issue in Adobe Campaign Classic (ACC) v7.

What Is CVE-2026-48286?

CVE-2026-48286 (CVSS 10.0) is an Incorrect Authorization flaw (CWE-863) with Remote Code Execution impact. The published CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) reflects a remotely exploitable issue that requires no authentication or user interaction.

Because public technical detail is still limited, defenders should focus first on prompt patching and exposure reduction.

Details of CVE-2026-48286 (SOCRadar Vulnerability Intelligence)

Details of CVE-2026-48286 (SOCRadar Vulnerability Intelligence)

Scope: On-Premise Instances Only

This scoping detail matters for triage:

  • The update applies to on-premise instances, including fully on-prem deployments and on-prem components in hybrid setups.
  • Adobe-hosted instances are already remediated, and Adobe indicates customers do not need to take action for those environments.

Which ACC Versions Are Affected?

  • ACC v7 7.4.3 build 9396 and earlier (Windows and Linux) → upgrade to build 9397

Risk and Prioritization Notes for Defenders

Even without confirmed exploitation, both bulletins are Priority 1 and include CVSS 10.0 issues. For practical prioritization:

  • ColdFusion: Multiple independent paths to RCE are listed (upload, traversal, input validation). That breadth increases the likelihood that at least one attack path is viable in any given deployment.
  • Campaign Classic: A network-reachable, no-privileges authorization flaw with RCE impact should be treated as high priority for any internet-reachable or widely reachable internal deployment, especially where ACC connects to mail infrastructure, customer data, and automation workflows.

How SOCRadar Can Help Teams Triage Exposure

For organizations managing many business applications and mixed hosting models, prioritization often comes down to two questions: “Where are we exposed?” and “Which issues are turning into attacker activity?”

  • SOCRadar Threat Intelligence can support vulnerability response with Vulnerability Intelligence by tracking high-impact CVEs, enrichment context, and emerging signals around exploitation.
  • Attack Surface Management (ASM) helps identify internet-facing ColdFusion or ACC assets and supports faster scoping when Priority 1 advisories land.

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

Remediation Guidance

Adobe ColdFusion (APSB26-68)

Organizations using ColdFusion should treat this as a Priority 1 update and upgrade immediately:

  • ColdFusion 2025 Update 9 and earlier → upgrade to Update 10
  • ColdFusion 2023 Update 20 and earlier → upgrade to Update 21

Beyond patching, Adobe recommends applying relevant hardening measures. Review your JDK/JRE LTS versions to ensure they align with Adobe’s guidance, and follow the applicable ColdFusion security and lockdown recommendations for your deployment model. For JEE deployments rather than standalone installations, Adobe also advises implementing its JVM serial filter guidance and setting the -Djdk.serialFilter=… option in the correct application server startup configuration.

Operationally, teams should also verify that the running build version reflects the update, rather than relying solely on installer completion messages. Prioritize internet-facing ColdFusion services first, since the vulnerability classes involved are consistent with common remote compromise paths.

Adobe Campaign Classic (APSB26-69)

For Adobe Campaign Classic, patch any on-premises or hybrid on-premises components by upgrading to ACC v7 7.4.3 build 9397.

It is also important to confirm your hosting model. Adobe states that Adobe-hosted ACC environments have already been remediated, but any customer-managed Campaign Classic components should still be treated as in scope and patched accordingly.