PROBABLYPWNED
VulnerabilitiesJuly 2, 20264 min read

Adobe Patches 7 Max-Severity ColdFusion, Campaign Flaws

Seven CVSS 10.0 vulnerabilities in Adobe ColdFusion and Campaign Classic enable unauthenticated RCE. Adobe shifts to twice-monthly security bulletins citing AI-accelerated discovery.

Marcus Chen

Adobe released patches for seven maximum-severity vulnerabilities affecting ColdFusion and Campaign Classic, all rated CVSS 10.0 and capable of enabling unauthenticated remote code execution. The company simultaneously announced a shift to twice-monthly security bulletins, acknowledging that AI-assisted vulnerability discovery has accelerated the pace of security disclosures.

The July security updates address critical flaws that require immediate attention from organizations running on-premise ColdFusion or Campaign Classic deployments.

ColdFusion: Six Critical RCE Paths

The ColdFusion vulnerabilities split into two categories: unrestricted file upload and improper input validation. Both lead to the same outcome—arbitrary code execution on affected servers.

Unrestricted File Upload:

Improper Input Validation:

Path Traversal:

  • CVE-2026-48282 (CVSS 10.0) - arbitrary code execution
  • CVE-2026-48313 (CVSS 9.3) - arbitrary file system read
  • CVE-2026-48315 (CVSS 9.3) - privilege escalation

The file upload vulnerabilities allow attackers to upload dangerous file types to the server without restriction. Combined with improper input validation, these flaws provide multiple paths to server compromise. Organizations running ColdFusion 2023 should update to Update 21; ColdFusion 2025 users need Update 10.

ColdFusion has been a recurring target in enterprise attacks. Earlier this year, CISA added multiple ColdFusion flaws to its Known Exploited Vulnerabilities catalog, and web shells deployed via ColdFusion have featured in several high-profile breaches affecting government and healthcare organizations.

Campaign Classic: Authorization Bypass to RCE

The seventh CVSS 10.0 vulnerability affects Adobe Campaign Classic v7, the on-premise version of Adobe's marketing automation platform.

CVE-2026-48286 is an incorrect authorization flaw that enables arbitrary code execution. Attackers can bypass authorization controls and execute code on Campaign Classic servers without valid credentials.

The vulnerability affects version 7.4.3 build 9396 and earlier. Adobe released version 7.4.3 build 9397 to address the flaw. Cloud-hosted Campaign instances were already patched on Adobe's infrastructure—only on-premise deployments require manual updates.

AI Forces Schedule Change

Adobe announced an immediate change to its security bulletin schedule, moving from monthly to twice-monthly publication starting July 14, 2026. Security updates will now release on the second and fourth Tuesday of each month.

The company cited AI-accelerated vulnerability discovery as the driver. Frontier AI models can now analyze large codebases and identify security flaws faster than traditional research methods. Adobe's response acknowledges that monthly patch cycles can't keep pace with discovery rates when AI tools are involved.

This mirrors broader industry concerns about AI-assisted security research. The same capabilities that help defenders find bugs faster also enable adversaries to identify exploitable flaws before patches exist. Adobe's schedule change represents one organizational response to that acceleration.

Recommended Actions

Organizations running affected Adobe products should:

  1. Patch immediately - All seven CVSS 10.0 vulnerabilities enable remote code execution and should be treated as critical
  2. Verify deployment type - Campaign Classic cloud customers are already protected; on-premise deployments need manual updates
  3. Monitor for exploitation - No active exploitation has been reported, but CVSS 10.0 vulnerabilities attract rapid weaponization
  4. Review access controls - Limit network exposure of ColdFusion and Campaign Classic servers where possible

Adobe's advisory notes no evidence of in-the-wild exploitation for any of the seven vulnerabilities. But the combination of maximum severity scores and unauthenticated attack vectors means exploit development is likely underway. The typical window between disclosure and weaponization for CVSS 10.0 vulnerabilities has compressed significantly—sometimes to single-digit days for particularly attractive targets.

Why This Matters

Seven CVSS 10.0 vulnerabilities in a single patch release is unusual even for software as frequently targeted as ColdFusion. The volume reflects both the severity of the underlying architecture issues and the accelerating pace of discovery.

Adobe's schedule change signals that the vendor expects this velocity to continue. Organizations dependent on Adobe enterprise products should plan for more frequent patching cycles and build that overhead into maintenance windows.

The shift also raises questions about organizations that can't patch quickly. Twice-monthly security releases assume defenders can deploy updates rapidly. Enterprises with lengthy change control processes or complex ColdFusion deployments may find themselves persistently behind as the gap between disclosure and expected patching narrows.

Related Articles