Adobe Patches Critical ColdFusion, Campaign Classic Vulnerabilities
Adobe has released security updates addressing multiple critical vulnerabilities in ColdFusion and Campaign Classic. Seven vulnerabilities have a maximum severity rating of 10/10 and could allow arbitrary code execution. The Campaign Classic update fixes an incorrect authorization issue in version 7.4.3 build 9397. ColdFusion updates for versions 2025 and 2023 fix 11 security defects, including critical issues related to file upload, input validation, and path traversal. Additional vulnerabilities include privilege escalation, arbitrary file system read, cross-site scripting, and server-side request forgery. Adobe advises users to update their applications promptly. No known exploits are currently reported in the wild.
AI Analysis
Technical Summary
Adobe patched multiple critical vulnerabilities in ColdFusion (versions 2025 and 2023) and Campaign Classic (version 7.4.3 build 9397). The Campaign Classic vulnerability CVE-2026-48286 is an incorrect authorization flaw with a CVSS score of 10.0 that could lead to arbitrary code execution. ColdFusion updates address 11 vulnerabilities, including six with a CVSS score of 10.0 (CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, CVE-2026-48282, CVE-2026-48283) related to unrestricted file uploads, improper input validation, and path traversal. Other critical issues include path traversal and privilege escalation (CVE-2026-48313, CVE-2026-48315), cross-site scripting (CVE-2026-48307), SSRF (CVE-2026-48285), and medium severity path traversal (CVE-2026-48314). Adobe has assigned a priority rating of 1 to these updates, indicating high exploitation potential, though no active exploits are known. Users should apply ColdFusion 2025 Update 10, ColdFusion 2023 Update 21, and Campaign Classic 7.4.3 build 9397 to remediate these issues.
Potential Impact
The vulnerabilities could allow attackers to execute arbitrary code, read arbitrary files, escalate privileges, bypass security features, and perform cross-site scripting attacks. This could lead to full compromise of affected systems running ColdFusion or Campaign Classic if exploited. The severity ratings of 10/10 for multiple vulnerabilities indicate critical risk. No public exploits are currently known, but Adobe considers the risk high enough to prioritize patching.
Mitigation Recommendations
Adobe has released official patches for all identified vulnerabilities. Users should update to Adobe Campaign Classic version 7.4.3 build 9397, ColdFusion 2025 Update 10, and ColdFusion 2023 Update 21 as soon as possible. There are no indications that additional mitigations are required beyond applying these updates. Adobe manages remediation for these on-premises products; users must apply patches themselves.
Adobe Patches Critical ColdFusion, Campaign Classic Vulnerabilities
Description
Adobe has released security updates addressing multiple critical vulnerabilities in ColdFusion and Campaign Classic. Seven vulnerabilities have a maximum severity rating of 10/10 and could allow arbitrary code execution. The Campaign Classic update fixes an incorrect authorization issue in version 7.4.3 build 9397. ColdFusion updates for versions 2025 and 2023 fix 11 security defects, including critical issues related to file upload, input validation, and path traversal. Additional vulnerabilities include privilege escalation, arbitrary file system read, cross-site scripting, and server-side request forgery. Adobe advises users to update their applications promptly. No known exploits are currently reported in the wild.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Adobe patched multiple critical vulnerabilities in ColdFusion (versions 2025 and 2023) and Campaign Classic (version 7.4.3 build 9397). The Campaign Classic vulnerability CVE-2026-48286 is an incorrect authorization flaw with a CVSS score of 10.0 that could lead to arbitrary code execution. ColdFusion updates address 11 vulnerabilities, including six with a CVSS score of 10.0 (CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, CVE-2026-48282, CVE-2026-48283) related to unrestricted file uploads, improper input validation, and path traversal. Other critical issues include path traversal and privilege escalation (CVE-2026-48313, CVE-2026-48315), cross-site scripting (CVE-2026-48307), SSRF (CVE-2026-48285), and medium severity path traversal (CVE-2026-48314). Adobe has assigned a priority rating of 1 to these updates, indicating high exploitation potential, though no active exploits are known. Users should apply ColdFusion 2025 Update 10, ColdFusion 2023 Update 21, and Campaign Classic 7.4.3 build 9397 to remediate these issues.
Potential Impact
The vulnerabilities could allow attackers to execute arbitrary code, read arbitrary files, escalate privileges, bypass security features, and perform cross-site scripting attacks. This could lead to full compromise of affected systems running ColdFusion or Campaign Classic if exploited. The severity ratings of 10/10 for multiple vulnerabilities indicate critical risk. No public exploits are currently known, but Adobe considers the risk high enough to prioritize patching.
Mitigation Recommendations
Adobe has released official patches for all identified vulnerabilities. Users should update to Adobe Campaign Classic version 7.4.3 build 9397, ColdFusion 2025 Update 10, and ColdFusion 2023 Update 21 as soon as possible. There are no indications that additional mitigations are required beyond applying these updates. Adobe manages remediation for these on-premises products; users must apply patches themselves.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/adobe-patches-critical-coldfusion-campaign-classic-vulnerabilities/","fetched":true,"fetchedAt":"2026-07-01T11:36:23.137Z","wordCount":968}
Threat ID: 6a44fbb727e9c7971967e478
Added to database: 07/01/2026, 11:36:23 UTC
Last enriched: 07/01/2026, 11:36:35 UTC
Last updated: 07/01/2026, 13:11:19 UTC
Views: 44
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.