threat-wire

Adobe Patches Seven Maximum-Severity ColdFusion and Campaign Flaws

Adobe shipped patches for seven maximum-severity flaws across ColdFusion and Campaign Classic, including one CVE scored a perfect 10.0 that lets an unauthenticated attacker run code as SYSTEM. No active exploitation has been confirmed yet, but the fixes are worth applying now given how fast these bugs tend to get weaponized.

By SecureBusinessHub Editorial, International cybersecurity desk — · 5 min read

The flaw that matters most

Adobe's biggest fix this week is CVE-2026-48286, an incorrect authorization bug in Campaign Classic that scores a perfect 10.0 on the CVSS scale. An attacker who finds it can run arbitrary code on the server without ever logging in. It only affects on-premise Adobe Campaign deployments, specifically ACC v7 build 7.4.3 build 9396 and earlier on Windows and Linux. Adobe-hosted instances were already updated and need no action from customers.

What else shipped this week

Alongside Campaign Classic, Adobe patched ColdFusion 2023 (now at Update 21) and ColdFusion 2025 (now at Update 10) to close out a cluster of critical and important flaws credited to researchers Anirudh Anand, Matan Sandori, and 2Bsecure: CVE-2026-48283, CVE-2026-48313, and CVE-2026-48307. Follow-up analysis from watchTowr Labs found the same round of fixes also quietly closed CVE-2026-48282, an arbitrary file write bug, and CVE-2026-48313, an arbitrary file read issue, along with a batch of related problems around file move, delete, and directory listing that Adobe didn't call out individually.

Security researcher Sina Kheirkhah dug into CVE-2026-48276, a file upload path traversal flaw. The fix blocks a handful of dangerous file extensions, jspf, cfmail, and war among them, and adds a script check to stop path traversal during uploads. The catch is that file uploads are disabled in ColdFusion by default, so the vulnerable code only runs if an administrator explicitly turned that feature on. Once it's on, though, Kheirkhah found the upload endpoint reachable with no authentication at all. A single crafted request writes a file to disk running as NT AUTHORITY\SYSTEM.

Are you exposed?

  • Check your ColdFusion version. Anything older than 2023 Update 21 or 2025 Update 10 needs the patch.
  • Check your Campaign Classic build number. On-premise deployments need ACC v7 7.4.3 build 9397 or later; Adobe-hosted customers are already covered.
  • In the ColdFusion Administrator, check whether file upload functionality has been explicitly enabled. If it has, patch immediately and review upload logs for unexpected files written by the IIS or Apache service account.
  • If you can't patch today, disable file uploads in ColdFusion Administrator as a stopgap, since the vulnerable code path requires that setting to be on.

Adobe also announced it's moving from monthly to twice-monthly security bulletins starting July 14, citing accelerated vulnerability research on both sides of the fence. "The frontier AI capabilities we are using are also available to attackers, and the window between public vulnerability disclosure and active exploitation is compressing from days to hours," said Adobe CSO Aanchal Gupta. Adobe says it hasn't found evidence of active exploitation for any of this week's flaws, but that shrinking window is exactly why the ColdFusion and Campaign Classic patches are worth applying now rather than at the next scheduled maintenance window.

Both products tend to sit further from the spotlight than a browser or an operating system, which is exactly the risk. ColdFusion runs the backend for a lot of older business web applications that IT teams inherited rather than built, and Campaign Classic typically holds customer email lists, contact details, and campaign history, the kind of data that turns a server compromise into a breach notification. Neither product gets the same day-one scrutiny as a Windows or Chrome patch, so a maximum-severity flaw sitting unpatched on a system nobody thinks about often is precisely how a CVSS 10.0 turns into an actual incident months later.