Adobe fixes 7 critical ColdFusion and Campaign flaws

▼ Summary
– Adobe released patches for seven maximum-severity vulnerabilities in ColdFusion and Campaign Classic, all exploitable in low-complexity attacks without user interaction.
– Six ColdFusion flaws (CVE-2026-48276, etc.) affect versions 2025.9, 2023.20 and earlier, allowing unprivileged attackers remote code execution.
– The Campaign Classic flaw (CVE-2026-48286) affects on-premises versions 7.4.3 build 9396 and earlier, enabling arbitrary code execution in the user’s context.
– Adobe will switch to twice-monthly security bulletins from July 14, 2026, to deploy updates faster, while maintaining out-of-band responses for zero-day threats.
– Over five years, CISA has added 79 Adobe flaws to its actively exploited vulnerabilities catalog, with 10 abused by ransomware gangs.
Adobe has issued critical security patches addressing seven maximum-severity vulnerabilities found in the ColdFusion web application development platform and the Campaign Classic marketing automation platform. These flaws are considered highly dangerous due to their potential for low-complexity exploitation that requires no user interaction, earning them a priority 1 rating from the company.
“These updates resolve vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible, for example, within 72 hours,” the company stated. However, Adobe clarified that it is not currently aware of any active exploits in the wild for the issues addressed in these updates, as noted in advisories released on Tuesday.
Six of the critical security flaws,tracked as CVE-2026-48276, CVE-2026-48277, CVE-2026-48281, CVE-2026-48316, and CVE-2026-48282,impact ColdFusion versions 2025.9, 2023.20, and earlier. Unauthenticated attackers can leverage these vulnerabilities to achieve remote code execution on unpatched systems without requiring any privileges.
In the Campaign Classic platform, the most severe vulnerability (tracked as CVE-2026-48286) affects versions 7.4.3 build 9396 and earlier. Successful exploitation could allow an attacker to execute arbitrary code within the context of the current user. According to Adobe’s security advisory, this flaw only impacts on-premises Adobe Campaign instances, including fully on-premises deployments and hybrid setups with on-premises components, as the issue has already been resolved on Adobe-hosted instances.
Separately, Aanchal Gupta, Adobe’s Chief Security Officer (CSO), announced on Thursday that the company will shift to a twice-monthly security bulletin schedule starting July 14, 2026, to accelerate the delivery of security updates. “Effective July 14, 2026, Adobe is moving from monthly to twice-monthly publication of Adobe Security Bulletins and Advisories on the second and fourth Tuesday of each month,” Gupta said. “For actively exploited vulnerabilities or externally discovered zero-day vulnerabilities, our out-of-band response process remains in effect.”
This latest patch cycle follows an emergency fix in early April for an Acrobat Reader vulnerability (CVE-2026-34621) that had been exploited in zero-day attacks since at least December. Over the past five years, the Cybersecurity and Infrastructure Security Agency (CISA) has cataloged 79 actively exploited vulnerabilities in Adobe products, with 10 of those also abused by ransomware gangs.
(Source: BleepingComputer)




